Chapter 21 covers the topics of assessing vulnerabilities of security designs and vulnerabilities in web based systems, as well as identifying security controls in development environments and applying secure coding guidelines.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations
• Chapter 17: Preventing and Responding to Incidents
• Chapter 18: Disaster Recovery Planning
• Chapter 19: Investigations and Ethics
• Chapter 20: Software Devlopment Security

Chapter 21 - Malicious Code and Application Attacks

My key takeaways and crucial points

Malicious Code

• Script kiddie - malicious individual who doesn’t understand the technology behind vulnerabilities, but downloads and launches ready to use tools. Often located in countries with weak law enforcement, use malware to steal money and identities.
• Advanced persistent threat - APT, sophisticated adversaries with advanced technical skills and financial resources. Often military units or intelligence agencies, and have access to zero day exploits.
• Virus - two main functions, propagation and destruction
  • Propagation techniques
    • Master boot record - attack bootable media
    • File infector - ending in .exe or .com, alter code of executables
    • Macro - leverage scripting functionality of other software
    • Service injection - inject into trusted runtimes like explorer.exe
• Antivirus mechanisms
  • Signature based detection - database of characteristics that indentify viruses
  • Eradicate virues
  • Quarantine - isolate but not remove
  • Require frequent updates
  • Heuristic - examines the behavior of software to look for bad behavior
• Multipartite virus - uses more than one propagation technique
• Stealth virus - tampers witht he OS to fool antivirus into thinking everything is fine
• Polymorphic virus - modifies their own code from system to system
• Encrypted virus - similar to polymorphic
• Hoax - nuisance and wasted resources
• Logic bomb - lies dormant until triggered by one or more met conditions like time, a program launch, etc.
• Trojan horse - software that appears benevolent but carries a malicious payload
• Ransomware - encrypts files and demands payment in exchange for the decryption key
• Worms - propagates themselves without requiring human intervention
• Code red worm - summer of 2001, attached unpatched Microsoft IIS servers
• Stuxnet - mid 2010, attached unprotected administrative shares and used zero day vulnerabilities to specifically attach systems used in the production of material for nuclear weapons
• Spyware - monitors your actions
• Adware - shows you advertisements
• Zero day attack - the necessary delay between discovery of a new type of malicious code and the isuance of patches creates a window for zero day attacks

Password Attacks

• Passowrd guessing - attackers simply attempt to guess the user’s password
• Dictionary attacks - tools like John the Ripper take a list of possible passowrds and run an encryption function against them to see which one matches an encrypted password
• Rainbow table - pre-calculated list of known plaintext and its encrypted value, used to decrease time taken to do dictionary attacks
• Social engineering
  • Tricking a user into sharing sensitive information like their password
  • Spear phishing - specifically targetted at an individual
  • Whaling - subset of spear phishing sent to high value targets
  • Vishing - phishing over voice communications
  • Dumpster diving - attackers go through trash to look for sensitive informati9on
• Users should choose strong passwords and keep them a secret

Application Attacks

• Buffer overflows - devs don’t properly validate user input, and input that is too large can overflow a data structure to affect other data stored in memory.
• Time of check/time of use - timing vulnerability where a program checks access permissions to far in advance of a resource request
• Back door - undocumented sequences that allow individuals to bypass normal access restrictions

Web Application Security

• Cross site scripting - XSS, when web apps contain some kind of reflected input. User input is embedded in the site and can be used to perform malicious activities.
• Cross site request forgery - XSRF/CSRF, similar to cross site scripting, but exploit a trust relationship. Exploit the trust a remote site has in a user’s system to execute commands on the user’s behalf, often when users are logged into multiple websites at the same time in one browser window.
• SQL injection - poorly santitized input contains SQL commands which are executed. Combat by using prepared statements, validating user input, and limiting account privileges.

Reconnaissance Attacks

• Reconnaissance - Attackers find weak points in targets to attack.
• IP probes - automated tools that attempt to ping addresses in a range.
• Port scans - probe all the active systems on a network and determine what services are running on each machine.
• Vulnerability scans - discovery specific vulnerabilities in a system.

Masquerading Attacks

• Impersonation of someone who does not have the appropriate access permissions.
• IP spoofing - an attacker reconfigures their system to make it look like they haev an IP address of a trusted system.
• Session hijacking - an attacker intercepts part of the commmunication between an authorized user and a resource, and then uses a hijacking technique to take it over and assume the identity of the authorized user.

Chapter 20 talks about understanding the security in the software development lifecycle, identifying and applying security controls in development environments, assessing the effectiveness of software security, assessing security impact of acquired software, and applying secure coding guidelines and standards.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations
• Chapter 17: Preventing and Responding to Incidents
• Chapter 18: Disaster Recovery Planning
• Chapter 19: Investigations and Ethics

Chapter 20 - Software Devlopment Security

My key takeaways and crucial points

Software Development

• Programming languages
  • Binary code - what computers understand, a series of 1s and 0s called machine language.
  • High level languages like Python, C++, Ruby, R, Java, Visual Basic allow programmers to write instructions that are better approximates for human communication.
  • Compiled languages like C, Java, FORTRAN use a compiler to convert the higher level language into an executable that the computer understands.
  • Interpreted languages like Python, R, JavaScript are not compiled and run in their original versions.
  • Compiled code is generally less prone to third party manipulation, but it is easier to hide malicious code. Compiled code is neither more nor less secure than interpreted.
• Object oriented programming
  • Each object in the OOP model has methods that correspond to specific actions that can be taken on the object, and inherit methods from their parent class
  • Provides a black-box approach to abstraction
  • Message - a communication to or input of an object
  • Method - internal code that defines the actions an object performs
  • Behavior - result of an object processing a method
  • Class - collection of common methods from a set of objects that defines behavior
  • Instance - objects are instances of a class
  • Inheritance - methods from a class are passed from a parent class to a child class
  • Delegation - forwarding a request by an objec tto another object
  • Polymorphism - the characteristic of an object that allows it to respond to different behaviors to the same message or method because of external condition changes
  • Cohesion - strength of the relationship between purposes of methods within the same class
  • Coupling - level of interaction between objects
• Assurance - properly implementing security policy through lifecycle of the System (according to the Common Criteria in a government setting)
• Avoiding and mitigating system failure
  • Input validation - when a user provides a value to be used in a program, make sure it falls within the expected parameters otherwise processing is stopped. Limit checks are when you check that a value falls within an acceptable range. Should always occur on the server side of a transaction.
  • Authentication and session management - require that users authenticate, and developers should seek to integrate apps with organizations existing authentication systems. Session tokens should exire, and cookies should only be transmitted over secure, encrypted channels.
  • Error handling - Errors should not expose sensitive internal information to attackers.
  • Logging - OWASP suggests logging these events: input validation failures, authentication attempts and failures, access control failures, tampering attempts, use of invalid or expired session tokens, exceptions raised by the OS or applications, administrative privilege usage, TLS failures, and cryptographic errors.
• Fail secure - high level of security
• Fail open - allows users to bypass failed security controls
• Software should revert to a fail-secure. This is what a Windows Blue Screen of Death does.
• Must balance security, functionality, user-friendliness.

Systems Development Lifecycle

• Conceptual definition - creating the basic concept statement for a system. Not longer than one or two paragraphs, and is agreed on by all interested stakeholders.
• Functional requirements determination - specific functionalities listed, devs start to think about how the parts of the system should interoperate. Think about input, behavior, output. Stakeholders must agree to this, too, and this document should be often referred to.
• Control specifications development - continues above design and review phases. Consider access controls, how to maintain confidentiality, provide an audit trail and a detective mechanism for illegitimate activity.
• Design review
• Code review walk-through - developers start writing code, walk through it looking for problems.
• User acceptance testing - actual users validate the system
• Maintenance and change management - ensure continued operation while requirements and systems change

Lifecycle Models

• Waterfall - Invented by Winston Royce in 1970. 7 stages, and each stage must be completed before the project moves to the next phase. Modern waterfall allows for moving backwards via “feedback loop”. The first comprehensive attempts to model the software development process.
• Spiral - 1988 by Barry Boehm, allows for multiple iterations of a waterfall style process. System developers apply the whole waterfall process to the development of several prototypes, and return to the planning stages as demands and requirements change.
• Agile - emphasis on needs of the customer, quickly developing new functionality. Highest priority is to satisfy the customer through early and continuous delivery, handle changing requirements, prefer short timescales, collaboration.
• Gantt charts show interrelationships over time between projects and schedules. PERT is a project scheduling tool that relates estimated lowest possible size, most likely size, and highest possible size for each component.
• Change and configuration management - changes should be centrally logged.
  • Request control - users can request modifications, managers cna conduct cost/benefit analysis, and tasks can be prioritized
  • Change control - developers try to recreate situation encountered by the user, implements an organized framework, and allows devs to test a solution before rolling it out
  • Release control - changes are reviewed and approved, includes acceptance testing
  • Configuration identification
  • Configuration control
  • Configuration status accounting
  • Configuration audit
• DevOps - seeks to unify software development, quality assurance, and technology operations, rather than allowing them to operate in separate silos. Aims to decrease time required to develop and deploy software changes - you might even deploy several times a day.
• Application programming interfaces - APIs, allow websites to interact with each other by bypassing traditional webpages and interacting with the underlying service. May have authentication requirements.
• Software testing
  • Reasonableness check - Ensures the values returned by software match criteria, should be done via separation of duties
  • White box testing - step trhough code line by line
  • Black box testing - from a user’s perspective
  • Gray box testing - combine white and black
  • Static testing - without running the code
  • Dynamic testing - done in a runtime environment
• Code repositories are a central storage point for developers to collaborate on source code.

Establishing Databases and Data Warehousing

• Hierarchical data model - logical tree structure, a one to many model
• Distributed data model - data stored in several databases that are logically connected
• Relational database - each table looks like a spreadsheet with row/column structure and a one to one mapping relationship
  • Candidate keys - subset of attributes that can uniquely identify a record in the table
  • Primary keys - selected from candidate keys to identify data. Only one primary key per table.
  • Foreign keys - used to enforce relationships between two tables (referrential integrity), and ensure that if one table contains a foreign key, it corresponds to a primary key in another table
• Database transactions - discrete sets of SQL instructions that will either succeed or fail as a group.
  • Must be committed to the database and cannot be undone when it succeeds.
  • ACID model
    • Atomicity - all or nothing
    • Consistency - consistent with all the database’s rules
    • Isolation - transactions operate separately
    • Durability - once committed, they are preserved
• Security for multilevel databases
  • These contain information with a variety of different classifications, and must verify labels assigned to owners and provide only the appropriate information
  • Concurrency - edit control is a preventitive control that states information stored in the database is always correct. Locks allow one user to make changes but deny other users access at the same time.
  • Lost updates - when different processes make updates and are unaware of each other
  • Dirty reads - reading a record from a transaction that did not successfully commit
• Open database connectivity - a proxy between applications and backend database drivers that give programmers greater freedom in creating solutions without having to worry about the underlying database
• NoSQL - key/value stores that are good for high-speed applications, graph databases, and document stores.

Storing Data and Information

• Storage types
  • Primary/real memory - resources directly available to the CPU like RAM
  • Secondary storage - inexpensive, nonvolatile storage like hard drives
  • Virtual memory - simulate more primary memory via secondary storage
  • Random access storage - request conteints from any point within the media (RAM and hard drives)
  • Sequential access storage - needs to scan through the entire media, like a tape
  • Volatile storage - loses contents when power is removed (RAM)
  • Nonvolatile storage - does not depend on the presense of power
• Covert storage channels allow transmission of sensitive data between classification levels through the direct or indirect manipulation of shared storage media.

Understanding Knowledge Based Systems

• Expert systems - embody accumulated knowledge of experts. Have a knowledge base and an inference engine. Knowledge is codified in a series of “if/then” statements.
• Inference engines examine information int he knowledge base to arrive at a decision.
• Machine learning
  • Supervised learning uses labeled data
  • Unsupervised learning uses unlabeled data
• Neural networks
  • Chains of computational units used to attempt to imitate biolgical reasoning processes of the human mind
  • Extension of machine learning
  • Aka deep learning
  • Delta rule - the ability to learn from experience

Chapter 19 covers how to understand, adhere to, and promote professional ethics, understanding and supporting investigations, and understanding different investigation types.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations
• Chapter 17: Preventing and Responding to Incidents
• Chapter 18: Disaster Recovery Planning

Chapter 19 - Investigations and Ethics

My key takeaways and crucial points

Investigations

• Administrative investigations - internal investigations that examine either operational issues or a violation of the organization’s policies. May transition to another type of investigation.
• Root cause analysis - determine the reason that something occured.
• Criminal investigations - conducted by law enforcmenet, related to alleged violation of criminal law. Must meet “beyond a reasonable doubt” standard which states there are no other logical conclusions.
• Civil investigations - do not involve law enforcement, but involves internal employees and outside consultants working for a legal team. Must meet the weaker “preponderance of the evidence” standard that demonstrates the outcome is more likely than not. Not as rigorous.
• Regulatory investigations - government agencies do these when they think there’s been a violation of administrative law. Violations of industry standards.
• Electronic discovery
  • Information governance - info is well organized
  • Identifification - locates the information
  • Preservation - protected against alteration or deletion
  • Collection - gatehrs the responsive information centrally
  • Processing - screens the collected information
  • Review - determine what information is responsive to the event
  • Analysis - deeper inspection
  • Production - place info in a format that it may be shared
  • Presentation - show info to witnesses, the court, other parties
• Admissible evidence - must be relevant to determining a fact, material/related to the case, competent (obtained legally)
• Evidence types
  • Real - things that may actually be brought into a court of law, aka conclusive evidence
  • Documentary - written items brought to court to prove a fact at hand
  • Testimonial - testimony of a witness, can be direct evidence based on their observations, or expert opinions
  • Hearsay - something that was told to someone outside of court - not admissible
• Best evidence rule - original documents must be introduced, not copies
• Parol evidence rule - when an agreement between parties is put into writing, the document is assumed to contain all the terms of the agreement and that no verbal agreement may modify the written agreement
• Chain of evidence/custody
  • Evidence should be labled with general description, time and date of collection, location evidence was collected from, name of collector, relevant circumstances

Evidence Collection and Forensic Procedures

• Actions taken to collect should not change evidence
• Person should be trained to access evidence
• All activity related to evidence should be fully documented, preserved, available for review
• Individuals are responsible for all actions taken
• Preserve the original evidence
• Network analysis - when incidents take place over a network. Often difficult to reconstruct because networks are volatile, and depend on prior knowledge than an incident is underway or logs.
• Software analysis - reviews of applications or activity, or review of software code and log files.
• Hardware/embedded device analysis - includes memory, storage systems

Investigation Process

• Rules of engagement - define and guide investigative actions
• Gathering evidence
  • Voluntary surrender - given up willingly, usually when the attacker is not the owner
  • Subpoena - or court order, the court compels someone to provide evidence, but this gives the data owner time to alter the evidence and ruin it
  • Search warrant - used when you must have access to evidence without alerting evidence owner or other personell, the court allows you to seize evidence
• Deciding whether or not to involve law enforcement is challenging because incidents are more likely to become public, and the Fourth Amendment hampers government investigators in ways that private companies are not.
• Never conduct investigations on an acutal system that was compromised. Take them offline and use backups.
• Do not attempt to “hack back” and avenge a crime.
• Call in expert assistance if needed.
• Interviewing - gather information from an individual. If information is presented in court, the interview is an interrogation.
• Attackers often try to santize log files after attacking, so to preserve evidence, logs should be centralized remotely.
• A final report should be produced by any investigation that details the processes followed, evidence collected, and final results of investigation. Lays the foundation for escalation and legal action.

Major Categories of Computer Crime

• Computer crime - violation of law that invovles a computer. Any individual who violates your security policies is an attacker.
• Military and intelligence attacks - restricted ifnormation from law enforcement or military and research sources
• Business attacks - focus on illegally obtaining confidential information. Aka corporate espionage or industrial espionage. Stealing trade secrets.
• Financial attacks - carried out to unlawfully obtain money or services. Ex: shoplifting, burglary.
• Terrorist attacks - to disrupt normal life and instill fear, as opposed to military or intelligence attack which is designed to extract secret information.
• Grudge attacks - to do damage to an organization or person, usualy out of resentment or to “get back at” an organization. Insider threat is big, these attacks can come from disgruntled employees.
• Thrill attacks - done for “the fun of it”, usually by “script kiddies”. May also be related to “hacktivism”.

Ethics

• Rules that govern personal conduct
• Codes of ethics are not laws, but standards for professional behavior

You should study and review the ISC2 Code of Ethics prior to taking your CISSP exam

Chapter 18 dives into security assessment and testing, and security operations like implementing recovery strategies, DR processes, and testing disaster recovery plans.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations
• Chapter 17: Preventing and Responding to Incidents

Chapter 18 - Disaster Recovery Planning

My key takeaways and crucial points

Managing Incident Response

• Disaster recovery plan - covers situations where tensions are already high and cooler heads may not naturally prevail, should be setup to basically run on autopilot and remove all decision making.
• Natural disasters
  • Earthquake - shifting of seismic plates
  • Floods - Gradual accumulation of rainwater, or caused by seismic activity (tsunamis)
    • “100 year flood plain” means there is an estimated chance of flooding in any give year of 1/100
  • Storms - Prolonged periods of intense rainfall
  • Fires - including wildfires, and man-made, may be caused by carelessness, faulty electrical wiring, improper fire proteciton practices
    • 1000 building fires in the United States every day
  • Acts of terrorism - General business insurance may not cover against terrorism
  • Bombings/explosions - Including gases from leaks
  • Power outages - protected against by uninterruptible power supply (UPS)
  • Network, utility, and infrastructure failures
    • Which critical systems rely on water, sewers, natural gas, or other utilities?
    • Think about internet connectivity as a utility.
    • Do you consider people a critical business system? People rely on things like water.
  • Hardware/software failures - Hardware components simply wear out, or suffer physical damage.
  • Strikes/picketing - human factor. If a large number of employees walk out at the same time, what would happen to your business?
  • Theft/vandalism - Insurance provides some financial protection

Understand System Resilience and Fault Tolerance

• Single point of failure - SPOF, any component that can cause an entire system to fail.
• Fault tolerance - the ability of a system to suffer a fault but continue to operate
• System resilience - the ability of a system to maintain an acceptable level of service during an adverse event
• Protecting hard drives
  • RAID-0 - striping
  • RAID-1 - mirroring
  • RAID-5 - striping with parity
  • RAID-10 - aka RAID-1+0, or a stripe of mirrors
• Protecting servers
  • Failover - If one server fails, another server in a cluster can take over its load
  • Load balancers detect failures and stop sending traffic to the bad server
  • Provide fault tolerance
  • Many IaaS providers offer load balancing that automatically scales resources as needed
• Protecting power sources
  • Uninterruptible power supply - UPS, battery supplied power for a short period of time that kicks in when power is lost, while a generator starts up to provide backup power
  • Spike - a quick instance of voltage increase
  • Sag - a quick reduction in voltage
  • Surge - a long instance of a spike
  • Brownout - a long instance of a sag
  • Transients - noise on a power line that can come from different sources
  • Line interactive UPS - include variable voltage transformer that helps adjust to over/under voltage events

Trusted Recovery

• Trusted recovery - After a failure, the system is just as secure as it was before
• Fail-secure system - defaults to a secure state in the event of a failure, blocking all access
  • Firewalls are normally fail-secure
• Fail-open system - defaults to an open state, granting access
  • Emergency exit doors are normally fail-open to allow people to escape a hazard in an emergency
• Manual recovery - After a system failure, it does not fail in a secure state and an administrator needs to perform actions to implement a secured or trusted recovery
• Automated recovery - The system can perform a trusted recovery to restore itself against at least one type of failure
• Automated recovery without undue loss - Like automated recovery but it also includes mechanisms to ensure that specific objects are protected to prevent their loss
• Function recovery - Automatically recover specific functions

Quality of Service

• Bandwidth - network capacity
• Latency - time it takes a patcket to travel
• Jitter - variation in latency
• Packet loss - requires retransmission
• Interference - electrical noise, faulty equipment

Recovery Strategy

• DR plan should be designed so first employees on the scene can immediately start recovery efforts in an organized way, even if official disaster ecovery team isn’t there yet
• Insurance can reduce the risk of financial losses
• Business unit and functional priorities
  • Must engineer DR plan to allow highest priority business units to recover first
  • Not all critical functions will be carried out in critical business units
  • Perform a business impact assessment (BIA) - Identify vulnerabilities, develop strategies to minimize risk, provide a report that describes risks. Also identify costs related to failures. Results in a prioritization task. Minimum output of BIA is a simple listing of business units in priority order.
• Crisis management
  • Individuals in business who are most likely to notice an emergency situation should be trained in DR procedures and know proper notification processes
• Emergency communications
  • Communicate internally during a disaster so employees know what is expected of them
• Workgroup recovery
  • The goal is to restore workgroups to the point that they can resume their activities in their usual work locations
  • May need separate recovery facilities for different workgroups
• Alternate processing sites
  • Cold site - standby facility, no computing facilities preinstalled. Low cost.
  • Hot site - backup facility that is maintained in constant working order, can have replication forced to it or backups taken from primary site to hot site. Higher cost.
  • Warm site - between hot and cold sites, contain equipment needed to establish operation, but not the production data, may take 12 hours to become operational.
  • Mobile site - self contained trailers or other relocated units
  • Service bureau - company that leases computer time
  • Cloud computing - ready-to-run images in cloud providers is usually cost-effective
  • Mutual assistance agreements - MAA, aka reciprocal agreements are rarely implemented but would mean two organizations pledge to assist each other if there’s a disaster by sharing computing facilities. Difficult to enforce, confidentiality concerns, proximity is an issue.
• Database recovery
  • Electronic vaulting - database backups are moved to a remote site using bult transfers. Done in batch, not realtime.
  • Remote journaling - data transfers are performed in a more expeditious mannar, still in bulk transfer, but done in realtime.
  • Remote mirroring - most advanced, most expensive. Live DB server is maintained at the backup site.

Recovery Plan Development

• Maintain multiple types of plan documents for different audiences
• Checklists
• Emergency response - simple but comprehensive instructions for essential personnel to follow immediately upon recognizing that a disaster is in progress. Most important tasks first.
• Personnel and communications - List of personnel to contact in the event of a disaster
• Backups and offsite storage
  • Full backups - complete copy
  • Incremental backups - Files that have been modified since most recent full or incremental backup. Only files with archive bit turned on are duplicated, then those vits are turned off.
  • Differential backups - Files that have been modified since the last full backup. Only files with archive bit turned on, but the bit is left on afterwards.
  • Difference between incremental and differential is the time needed to restored data in an emergency vs time taken to create the backups.
• Software escrow arrangement - protects a company against failure of a developer to provide adequate support for products or if the developer goes out of business
• External communications may be performed by public relations officials
• Logistics refers the problem of moving large numbers of people, equipment, and supplies
• Recovery is bringing business operations and processes back to a working state, while restoration involves bringing the facility and environment back to a working state. DRP should define criteria for both.

Training, Awareness, and Documentation

• Should have these elements
  • Orientation training for new employees
  • Initial training on new DR roles
  • Detailed refersher training for DR team members
  • Awareness refershers for all other employees
• DRP should be treated as exteremely sensitive and provided to individuals on a compartmentalized, need-to-know basis

Testing and Maintenance

• Read through test - Distribute copies of DR plans and review them
• Structured walk through - Table-top exercise with the members of the DR team gather, basically role-playing
• Simulation test - Team members are presented with a scenario and asked to develop a response
• Parallel test - Relocating personnel to alternate recovery site and implementing site activation procedures
• Full-interruption test - Actually shut down the primary site and shift them to the backup site
• DR plans are living documents and need maintenance. They should refer to the organization’s business continuity plan as a template.

Chapter 17 goes over conducting logging and monitoring activities, conducting incident management, and operating and maintaining detective and preventative measures.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations

Chapter 17 - Preventing and Responding to Incidents

My key takeaways and crucial points

Managing Incident Response

• Defining an incident
  • Any event that has a negative effect ont he confidentiality, integrity or availability of an organization’s assets
  • ITIL says it’s any unplanned interruption
  • A computer secuirty incident is a result of an attack, or the result of malicious or itentional actions on the part of users
  • NIST 800-61
• Incident response steps
  • Incident response is an ongoing activity
  • Does not include a counterattack
    • Usually illegal, often results in escalation
• Detection
  • Must be able to quickly identify false alarms and user errors
• Response
  • Computer incident response team (CIRT)
  • Activate the team during a major security incident, but not for minor incidents
  • Computers should not be turned off when containing an incident
    • Important for forensics
• Mitigation
  • Contain an incident
  • Limit the effect or scope of an incident
  • Address it without worrying about it spreading
• Reporting
  • Within the org and to groups outside the org
  • Beware of legal requirementse
  • If a data breach exposes PII, the organization must report it
  • Consider reporting the incident to official agencies, they might be able to help
• Recovery
  • Recover the syustem or return it to a fully functioning state
  • Restoring data
  • Ensure it is configured properly and is at least as secure as it was before the incident
  • Configuration management and chanage management programs are important here
• Remediation
  • Attempt to identify what allowed it to occur, implement methods to prevent it from happening again
  • Root cause analysis
• Lessons learned
  • Examine the incident and the response to see if there are any lessons to be learned
  • Improve the response
  • Output of this stage can be fed back to the detection stage
  • Create a report

Implementing Detective and Preventive Measures

• Basic preventive measures
  • Keep systems and applications up to date
  • Remove or disable unneeded services and protocols
  • Use intrusion detection and prevention syustems
  • Use up to date anti-malware software
  • Use firewalls
  • Implement configuraiton and system management processes

Understanding Attacks

• Botnets
  • Bot herder
    • A criminal who controls computers in the botnet via one or more command and control servers
  • Defense in depth
  • Educating users
• Denial of service attacks
  • DoS attacks
  • Prevent a system from processing or responding to legitimate traffic or requests for resources and objects
  • Distributed denial of service attacks occur when multiple systems attack a single system at the same time
  • Distributed reflective denial of service attack doesn’t attack the victim directly but manipulates traffic or a service so the attacks are reflected back to the victim from other sources
• SYN flood attack
  • Disrupts the standard 3 way handshake used by TCP
  • Consume available memory and processing power
  • SYN cookies can block this attack
  • Reduce the amoun tof time a server will wait for an ACK
• Smurf attacks
  • Another type of flood attack, but floods with ICMP echo packets instead of TCP SYN
• Fraggle attacks
  • Similar to smurf, but instead of ICMP, useds UDP packets over ports 7 and 19
• Ping flood
  • Floods a victim with ping requests
• Ping of death
  • Oversized ping packet
  • Buffer overflow error
• Teardrop
  • Attacker fragments traffic in a way that a system is unable to put it back together
• Land attacks
  • Attacker sends spoofed SYN packets to a victim using the victim’s IP address as botht he soure and destination IP
• Zero day exploit
  • Vulnerabilities that are unknown to others
  • The attacker is the only one aware of the vulnerability, before the vendor makes a patch
  • The gap between when the vendor releases the patch and when administrators apply it is a dangerous zone
  • Honeypots and padded cells
• Malicious code
  • Any script or program that performs an unwanted, unauthorized or unknown activity on a computer system
  • Drive by downloads
    • Code is installed on a user’s system without the user’s knowledge
• Man in the middle attacks
  • MITM
  • Malicious users gain a position logically between the two endpoints
  • Copying or sniffing the traffic between parties
  • A store and forward or proxy mechanism
  • Intrusion detection systems cannot usually detect MITM or hijack attacks
  • VPNs
• Sabatoge
  • A criminal act of destruciton or disruption committed against an organization by an employee
  • Employee terminations should be handled swiftly
    • Account access should be disabled ASAP
• Espionage
  • The malicious act of gathering classified information about an organization
  • Disclosing or selling ifnormation to a competitor
  • Mole/plant - an employee with a secret allegience to another organization whose goal is to steal information
  • Screen and track employees effectively

Intrusion Detection and Prevention Systems

• Intrusion
  • Attacker can bypass security mechanisms
• Intrusion detection
  • Monitors recorded information
• Intrusion prevention system
  • IPS
  • Can take steps to stop/prevent intrusions
  • NIST 800-96
• Knowledge/Behavior-based detection
  • Knowledge based
    • aka signature based
    • Database of known attacks
  • Behavior based
    • aka statistical/anomaly, heuristics
    • Creates a baseline of normal activities and events on a system, detects abnormal activity
    • aka an Expert System
• SIEM systems
  • Security ifnromation and event management system
  • Advanced analytic tools
  • Passive response
    • Notifies administrators
  • Active response
    • Can modify the environment
      • Modifies ACLs, addresses, disable communications over specific segments, etc.
• Host and Network based IDSs
  • Host based
    • Monitors a single computer
    • Can detect anomalies on the host that a network IDS cannot
    • Requires admin attention on each system
  • Network based
    • Evaluates network activity
    • Can monitor a large network to collect data at key locations
    • Switches are often used as a preventive measure against rogue sniffers
    • Very little effect on network performance
    • Usually able to detect initation of attack, not always about the success of an attack
• Intrusion prevention systems
  • Placed in line with traffic
  • Active IDS that is not placed in line can check the activity only after it has reached the target

Specific Preventive Measures

• Honeypot
  • Individual computers created as a trap for intruders
  • Honeynet, a network of honeypots
  • Do not host any data of real value
  • Opportunity to observe an attacker’s activity
  • Enticement vs entrapment
    • Intruder must discover it through no outward effort of the honeypot owner
  • Psuedo flaws
    • False vulnerabilities
  • Padded cells
    • Look and feel like an actual network but attackers are unable to perform any malicious activities
    • Offer fake data
• Warning banners
  • Inform users and iuntruders about security policy guidelines
  • Legally bind uesrs
  • No tresassing signs
• Anti-malware
  • Signature files and heuristic capabilities must be kept up to date
  • Firewalls with content-filtering capabilities
  • Install only one anti-malware applicatoin on any system
  • Least privilege helps
  • Educating users
• Whitelisting and blacklisting
  • Should be called allowlisting and denylisting, but these are the terms CISSP uses
  • Whitelisting identifies a list of applicaitons that are authorized to run
  • Blacklisting is a list of applications that are blocked
• Firewalls
  • Filtering traffic based on IP address, port, protocols
  • Second generation firewalls add additional filtering capabilities based on application requirements
  • Next generation firewalls function as a unified threat management device and have even more filtering, like packet filtering and stateful inspection, as well as packet inspeciton
• Sandboxing
  • Prevents the application from interacting with other applciations
  • Virtualization techniques
• Third party security services
  • SaaS
    • Software as a service
• Penetration testing
  • Mimics an actual attack to attempt to identify which techniques attackers cna use to circumvent security
  • NIST 800-115
  • Include a vulnerability scan/assessment
  • Attempt to exploit weaknesses
  • Determine how well a system can tolerate attack
  • Identify employees’ ability to detect and respond to attacks in real time
  • Identify additional controls that can be implemented to reduce risk
  • Pentesting risks
    • Some methods can cause outages
    • Should stop before doing actual damage
    • Should try to perform pentesting in a test system
  • Must always have permission in writing with the risks spelled out
  • Black box testing
    • Zero knowledge
  • White box testing
    • Full knowledge
  • Gray box testing
    • Partial knowledge
  • Social engineering techniques are often used
  • Must protect pentesting reports because they describe attacks against the system
  • Reports must make a recommendation
  • AKA ethical hacking

Logging, Monitoring, and Auditing

• Logging
  • Recording information about events to a file or database
• Log types
  • Security logs - access to resources
  • System logs - system events
  • Application logs - specific applications
  • Firewall logs
  • Proxy logs - include details such as what sites specific users visit and how much time they spend on those sites
  • Change logs
    • Part of a disaster recovery program
• Protecting log data
  • Use logs to recreate events leading up to and during an incident only if the logs haven’t been modified
  • Store copies on a central system like a SIEM
  • FIPS 200
• Audit trails
  • Records created when information about events is stored in one or more databases or log files
  • Passive form of detective security control
  • Also serve as a deterrent
  • Essential as evidence in the prosecution of criminals
• Monitoring and accountability
  • Users claim an identity and must prove their identity by authenticating
  • Audit trails record their activity
  • Users who are aware that lgos are recording are less likely to try to circumvent security controls or perform unauthorized activities
• Monitoring
  • The process of reviewing logs looking for something specific
  • Continuous process
  • Log analysis
    • Detailed form of monitoring, logs are analyzed for trends and patterns
  • Many orgs use a centralized application for monitoring
  • SIEMs may include a correlation engine to help combine multiple log sources into meaningful data
• Sampling
  • Extracting elements from a large collection to construct a meaningful representation of the whole
• Clipping levels
  • Predefine dthreshold for the event, ignoring events until they reach the level
• Keystroke monitoring
  • Act of recording keystrokes a user performs on a keyboard
  • Often compared to wiretapping
• Traffic and trend analysis
  • Examine the flow of packets rather than the contents
• Egress monitoring
  • Watching outgoing traffic to prevent data exfiltration
• Data loss prevention
  • Detect and block data exfiltration attempts
  • Network based scan all outgoing data
  • Endpoint based scan files stored on a system
  • Deep level examinations of data in files
• Steganography
  • The practice of embedding a message within a file
• Watermarking
  • The practice of embedding an image or pattern in paper that isn’t readily perceivable, often to thwart counterfeiting attempts

Auditing to Assess Effectiveness

• Auditing
  • A methodical examination of an environment
  • Use audit logs and monitoring tools to track activity
  • Auditing - Inspection or evaluation
• Auditors
  • Test and verify that processes and procedures are in place to implement security policies or regulations
• Inspection audits
  • Clearly define and adhere to the frequence of audit reviews
• Access review audits
  • Ensure that object access and account management practices suppor the current security policy
  • Ensure that accounts are disabled and deleted in accordance with best practices and security policies
  • Typical termination process:
    • At least one witness is present during exit interview
    • Account access terminated during interview
    • Employee ID badges and physical credentials are collected
    • Employee escorted off premises immediately
• User entitlement audits
  • Refers to the prvileges gratned to users
  • Enforce least privilege principle
• Audits of privileged groups
  • High level adminstrator groups
  • Dual administrator accounts
    • Separation of privileges (normal account and a privileged account)
• Security audits and reviews
  • Patch management - patches are evaluated ASAP, properly deployed through a testing process
  • Vulnerability management - compliance with established guidelines, scans and assessments
  • Configuration management - Use tools to check specific configurations of systems and identify when a change has occured
  • Change management - Changes are implemented in accordance to change management policy
• Reporting audit results
  • Report needs purpose, scope and results
• Protecting audit results
  • Contain sensitive information, need a classification label
  • Sometimes create a seaprate audit report with limited data for separate distribution
  • When distributing, get signed confirmation
• External auditors
  • Some laws require this
  • Provide a level of objectivity that interal audits can’t
  • Interim reports - written or verbal given to the org about observerations that demand immediate attention

Chapter 16 goes over securely provisioning resources, understanding and applying foundational security operations concepts, applying resource protection techniques, implementing and supporting patch and vulnerability management, understanding and participating in change management, and addressing personnel safety and security concerns.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Chapter 15: Security Assessment and Testing

Chapter 16: Managing Security Operations

My key takeaways and crucial points

Applying Security Operations Concepts

• Due care and due diligence refers to taking reasonable care to protect the assets of an organization on an ongoing basis
• Need to know
  • Focuses on permissions and the ability to access information
  • Rights
    • Refers to the ability to take actions
  • Grant users access only to data or resources they need to perform assigned work tasks
• Least privilege
  • Granted only the privileges necessary to perform assigned work tasks and no more
  • Entitlement
    • The amount of privileges granted to users
  • Aggregation
    • The amount of privileges that users collect over time
  • Transitive trust
    • A trust relationship between two security domains
• Separation of privilege
  • No single person has total control
  • Collusion
    • An agreement by two or more persons to perform some unauthorized activities
  • Helps reduce fraud
  • Builds on least privilege
  • Segregation of duties is specifically required by SOX
• Two person control
  • Operations that require two keys
  • Ensures peer review, reduces likelihood of fraud
  • Split knowledge is where information or privilege is divided among multiple users
• Job rotation
  • Encourages peer review, reduces fraud, enables cross training
  • Acts as both a deterrent and a detection mechanism
• Mandatory vacations
  • Peer review, helps detect fraud and collusion
  • Acts as a deterrent and a detection mechanism

Privileged Account Management

• Special privilege operations
  • Activities that require special access or elevated rights and permissions to perform
  • Sensitive job tasks
• Monitoring usage of special privileges, so organizations can deter employees from misusing privileges and detect actions
• Perform access review audits

Managing the Information Lifecycle

• Creation/capture
  • Data is created by users, downloading files, etc.
• Classification
  • Should be done asap
  • Ensure that sensitive data is identified and handled appropriately based on its classification
  • Once data is classified, it can be marked and handled correctly
    • Easily recognize data’s value
• Storage
  • Periodically back up
  • Encrypted
  • Physical security
• Usage
  • Any time data is in use or in transit over a network
  • Used in an unencrypted format
• Archive
  • Comply with laws/regulations regarding data retention
  • Ensure data is available
• Destruction/purging
  • NIST 800-88r1

Service Level Agreements

• Defines performance expectations and penalties
• Sometimes have memorandums of understanding
  • and/or an interconnection security agreement
  • Two entities work together toward a common goal
• Can specify technical requirements

Addressing Personnel Safety and Security

• Always possible to replace equipment and data, can’t replace people
• Human safety is ALWAYS top priority
• Duress
  • A simple duress system is just a panic button that sends a distress call
  • More common when working alone
  • Code words or phrases
• Travel
  • Verify a person’s identity before opening a hotel door
  • Sensitive data is ideally not brought on the road, but if it is it needs to be encrypted
  • Malware/monitoring devices
    • Maintain physical control of all devices
    • Do not bring personal devices
  • Free WiFi
    • Vulnerable to man in the middle attacks
• Emergency management
  • Natural or man-made disasters
  • Locate sensitive physical assets toward the center of the building

Managing Virtual Assets

• Reduction in overall operating costs when going virtual
• Hypervisor
  • Essential virtualization software

Managing Cloud Based Assets

• SaaS
  • Software as a service
  • Fully functional applications accessed via web browser, usually
• PaaS
  • Platform as a service
  • Computing platform, including hardware, an OS, and applications
• IaaS
  • Infrastructure as a service
  • Basic computing resources
• NIST 800-145
• Public cloud
  • Available for any consumers
• Private cloud
  • Single organization
• Community cloud
  • Two or more organizations
• Hybrid cloud
  • Combination of two or more clouds

Media Management

• Includes any hard copy of data
• When media is marked, handled and stored properly, it helps prevent unauthorized disclosure (loss of confidentiality), unauthorized modifications (loss of integrity), and unauthorized destruction (loss of availability)
• Tape media
  • Keep at least two copies of backups
  • At least one offsite
• Mobile devices
  • MDM system monitors and manages devices, ensures they are up to date
  • Encryption protects data if phone is lost or stolen
• Managing media lifecycle
  • Once backup media has reached it’s MTTF, it should be destroyed
  • Degaussing does not remove data from an SSD

Managing Configuration

• Baselining
  • Baselines are starting points
  • When systems are deployed in a secure state with a secure baseline, they are more likely to stay secure
• Using images for baselining
  1. Create the image
  2. Capture the image
  3. Deploy the image
• Ensure that desired security settings are always configured correctly

Managing Change

• Change management
  • Reducing unanticipated outages by unauthorized changes
  • Primary goal is to ensure that changes do not cause outages
• Unauthorized changes directly affect availability
• Security impact analysis
  1. Request the change, identify desired changes
  2. Review the change
  3. Approve/reject the change
  4. Test the change
  5. Schedule and implement the change when it will have the least impact
  6. Document the change
• Emergency changes can still occur, but the process still needs to document the changes
• Versioning
  • Labeling or numbering system that differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine
• Configuration documents
  • Who is responsible
  • Purpose of the change
  • List all changes to the baseline

Managing Patches and Reducing Vulnerabilities

• Systems to manage
  • Any computing device with an OS
  • Network infrastructure systems
  • Embedded systems
• Patch management
  • Patch
    • Any type of code written to correct a bug or vulnerability or improve the performance of existing software
  • Evaluate patches
    • Determine if they apply to your systems
  • Test patches
    • Test on an isolated nonproduction system
    • Determine unwanted side effects
  • Approve the patches
    • Change management
  • Deploy the patches
    • Automated methods
  • Verify that patches are deployed
    • Regularly test and audit systems
• Vulnerability management
  • Identifying vulnerabilities, evaluating them, mitigating risks
  • Vulnerability scans
    • Test systems and networks for known security issues
    • Nessus by Tenable Network Security
    • Generate reports
  • Vulnerability assessments
    • Scan reports from past year to determine if the organization is addressing vulnerabilities
    • “Why hasn’t this been mitigated?”
    • Part of a risk analysis or assessment
  • Common vulnerabilities and exposures
    • MITRE maintains the CVE database: cve.mitre.org
    • MITRE is not an acronym, funded by US government to maintain the database

Chapter 15 is a hefty chapter which covers designing and validating assessment, test, and audit strategies, conducting security control testing, collecting security process data, and then analyzing test output, and conducting security audits.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access

Chapter 15: Security Assessment and Testing

My key takeaways and crucial points

Security Testing

• Security tests
  • Verify that a control is functioning properly
• Frequent automated tests supplemented by infrequent manual tests are recommended
  • Review the results of those tests to ensure that each test was successful

Security Assessments

• Security assessment
  • Comprehensive reviews of the security of a system applications, or other tested environment
• Information security professional performs a risk assessment
• Assessment report addressed to management

Security Audits

• Security audit
  • Use many of the same techniques for assessments, but must be performed by independent auditors
• Assessments are internal use only
• Audits are done for the purpose of demonstrating the effectiveness of controls to a third party
• Internal audits
  • Intended for internal audiences
• External audits
  • Performed by outside auditing firms
• Third party audits
  • Conducted by, or on behalf of, another organization
  • Type I
    • Controls provided by audited organization as well as auditor opinion based on description
  • Type II
    • Minimum six month period and also include an opinion from the auditor
    • Considered more reliable
• Auditing standards
  • COBIT
    • Describes common requirements orgs should have in place surrounding information systems
  • ISO 27001
    • A standard approach for setting up an information security management protocol
    • ISO 27002 goes into more detail

Describing Vulnerabilities

• Common vulnerabilities and exposures (CVEs)
  • A naming system for vulnerabilities
• Common vulnerability scoring system (CVSS)
  • A scoring system for severity
• Common platform enumeration (CPE)
  • A naming system for configuration issues
• Extensible configuration checklist description format (XCCDF)
  • Language for security checklists
• Open vulnerability and assessment language (OVAL)
  • Language for security testing procedures

Vulnerability Scans

The instructor for my bootcamp told us that this is a heavily tested section, and trips up a ton of test takers

• Vulnerability scans
  • Automatically probe systems
• Network discovery scans
  • NMAP - a network scanning tool
  • TCP SYN scanning
    • Single packets sent with the SYN flag set
  • TCP connect scanning
    • Opens a full connection to the remote system
  • TCP ACK scanning
    • Send a packet with ACK set, indicating it’s part of an open connection
    • Helps determine firewall rules
  • Xmas scanning
    • FIN, PSH, URG flags are set on packets sent to systems
• Port statuses
  • Open - there is an application that is actively accepting connections
  • Closed - The firewall is allowing access, but there is no application accepting connections
  • Filtered - Unable to determine if a port is open or closed because of a firewall
• Network vulnerability scanning
  • Deeper than a discovery scan
  • Tools contain databases of thousands of known vulnerabilities, and tests that can be performed to identify whether a system is susceptible to each vulnerability
  • False positives and false negatives may occur
  • By default, vulnerability scanners run unauthenticated scans
• TCP ports

• Nessus, Qualys, Rapid7’s NeXpose, OpenVAS are all vulnerability scanners
• Aircrack is used to scan wireless networks
• Web vulnerability scanning
  • Structured Query Language (SQL) injection, leveraging poor input validation/sanitization
  • Web vulnerability scanners scour web applications for known vulnerabilities
  • Nessus does this, too, also Acunetix, Nikto, Wapiti, Burp Suite
  • Scan all applications when you begin performing scanning for the first time
  • Scan new applications when moving into production
  • Scan before code changes go to production
  • Scan on a recurring basis
• Vulnerability management workflow
  1. Detection - Identification of a vulnerability
  2. Validation - Confirm the vulnerability is not a false positive
  3. Remediation - Patch, change configurations, implement a workaround
• Penetration testing
  • Actually attempting to exploit systems, not just scan them
  • Done by trained security professionals
  • Process
    1. Planning - agree on scope, rules of engagement
    2. Information gathering and discovery - tools collect information, reconnaissance
    3. Vulnerability scanning - probes for system weaknesses
    4. Exploitation - use automated and manual exploitation tools to defeat system security
    5. Reporting - results of the penetration test, make recommendations
  • Metaspoit is a common tool
  • Types of penetration tests
    1. White box - attackers have detailed information about the target systems
    2. Gray box - attackers have partial knowledge about target systems
    3. Black box - attackers are not provided with any information
       • They should be done in this order

Testing Your Software

• Applications often have privileged access
• Apps often handle sensitive information
• They often rely on databases
• Code review
  • AKA peer review
  • Approval of an application’s move into production
  • Fagan inspection
    1. Planning
    2. Overview
    3. Preparation
    4. Inspection
    5. Rework
    6. Follow up
• Static testing
  • Done without running it, but rather analyzing source code or compiled app
• Dynamic testing
  • Done in a runtime environment
  • Testers often do not have access to underlying source code
  • Synthetic transactions are scripted transactions with an application with known expected results
• Fuzz testing
  • Different types of input are given to software to test it’s limits and find previously undetected flaws
  • Mutation “dumb” fuzzing
    • Takes previous input values and mutates them to create fuzzed input
  • Generational “intelligent” fuzzing
    • Data models used to create new fuzzed input based on understanding of data types used by the system
  • zuff - a tool that performs fuzzing
• Interface testing
  • Different parts of a complex app that must function together are tested
• Misuse case testing
  • Enumerate the known misuse cases
  • How can software be abused?
• Test coverage analysis
  • Estimate the degree of testing conducted
    • Test coverage = number of use cases tested / total number of use cases
  • Branch coverage
    • Has every if been executed under all if and else conditions?
  • Conditional coverage
    • Has every logical test in the code been executed under all sets of inputs?
  • Function coverage
    • Has every function in the code been called and returned results?
  • Loop coverage
    • Has every loop in the code been executed under conditions that cause code execution multiple times, once, and not at all?
  • Statement coverage
    • Has every line of code been executed during the test?
• Website monitoring
  • Passive monitoring
    • Analyze actual network traffic
    • Real user monitoring reassembles the activity of individual users
  • Synthetic monitoring
    • AKA Active monitoring
    • Performing artificial transactions

Implementing Security Management Processes

• Log reviews
  • Logging systems should use Network Time Protocol (NTP) to ensure clock synchronization
  • Periodically review logs
• Account management
  • Ensure users only retain authorized permissions and that unauthorized modifications do not occur
  • Example process
    1. Provide a list of users with privileged access
    2. Ask the privilege approval authority to provide a list of authorized users
    3. Compare the two lists
  • Lots of other checks, like terminated users
  • Check paper trails
• Backup verification
• Key performance and risk indicators
  • Monitor key performance and risk indicators
  • Number of open vulnerabilities
  • Time to resolve vulnerabilities
  • Vulnerability/defect recurrence
  • Number of compromised accounts
  • Number of software flaws detected in pre-production scanning
  • Repeat audit findings
  • User attempts to visit known malicious sites
  • Lots more, come up with your own depending on what’s important to your org

Chapter 14 is about identity and access management (IAM), and discusses all kinds of different access control: role based, rule based, mandatory,discretionary, and attribute based.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks
• Chapter 13: Managing Identity and Authentication

Chapter 14: Controlling and Monitoring Access

My key takeaways and crucial points

Comparing Permissions, Rights, and Privileges

• Permissions
  • The access granted for an object and what you can do with it
• Rights
  • The ability to take an action on an object
• Privileges
  • The combination of rights and permissions

Understanding Authorization Mechanisms

• Implicit deny
  • Access to an object is denied unless it has been explicitly granted
• Access control matrix
  • A table that includes subjects, objects, and assigned privileges
• Capability tables
  • Like an ACL, but focused on subjects
• Constrained interface
  • Restricted interfaces that control what users can do or see based on their privileges
• Content depended control
  • Restrict access to data based on the content within an object
  • Ex: A database view
  • “What” data is being accessed
• Context depended control
  • Require specific activity before granting access
  • Ex: Date and time bound access
  • “How” you’re accessing data
• Need to know
  • Granted access only to what you need to know to perform your job
• Least privilege
  • Subjects are granted only the privileges they need to perform their work tasks and job functions
  • Will also include rights to take action on a system
• Separation of duties and responsibilities
  • Sensitive functions are split into tasks performed by two or more employees

Defining Requirements with a Security Policy

• Security policy
  • A document that defines the security requirements for an organization
• Senior leadership approves the security policy

Implementing Defense in Depth

• Defense in depth
  • Multiple layers or levels of access controls to provide layered security
• Key components
  • Security policy
  • Personnel, training
  • Combination of administrative, technical, and physical access controls

Summarizing Access Control Models

• Discretionary access control
  • Every object has an owner who can grant or deny access to any other subjects
• Role based access control
  • User accounts are placed in roles and administrators assign privileges to the roles
• Rule based access control
  • Global rules apply to all subjects
  • AKA restrictions/filters
• Attribute based access control
  • Uses rules that can include multiple attributes
  • More flexible than rule based access control
  • Plain language statements
• Mandatory access control
  • Labels applied to both subjects and objects

Discretionary Access Control

• Allows owner/creator/data custodia of an object to control and define access to the object
• Using access control lists (ACLs)

Nondiscretionary Access Control

• Administrators centrally administer access controls and can make changes that affect the entire environment

Role Based Access Control

• AKA task-based access control
• AKA RBAC
• Privilege creep
  • Users accrue privileges over time as their roles and access needs change
• Administrators identify roles/groups by work function
• Useful in dynamic environments with frequent personnel changes

Rule Based Access Control

• Rules, restrictions, filters determine what can and cannot occur on a system
• Global rules apply to all subjects
• RBAC refers to ROLE based access control
• Firewalls include a set of rules within an ACL
• Implicit deny

Attribute Based Access Control

• ABAC
• Uses policies that include multiple attributes for rules
• Can be any characteristic of users, network, devices

Mandatory Access Control

• MAC
• Uses classification labels
• Security domain
  • A collection of subjects and objects that share a common security policy
• Often referred to as a lattice-based model
• Compartmentalization enforces need to know principle
• Hierarchical environment
  • Ordered structure from low security to medium security to high security
  • Classification labels
• Compartmentalized environment
  • No relationship between one security domain and another
• Hybrid environment
  • Combines both hierarchical and compartmentalized concepts

Understanding Access Control Attacks

• Risk elements
  • Threat
    • A potential occurrence that can result in an undesirable outcome
  • Vulnerability
    • Any type of weakness
  • Risk management
    • Attempting to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures
    • Process
      • Identify assets
        • Asset valuation - identifying the actual value of an asset so you may prioritize them
      • Identify threats
        • Threat modeling - identifying, understanding and categorizing potential threats
      • Identify vulnerabilities
• Advanced persistent threats
  • APTs
  • Attackers who are working together, highly motivated, skilled, and patient
  • Advanced knowledge
• Threat modeling approaches
  • Focused on assets
    • Identify threats to valuable assets
  • Focused on attackers
    • Based on attackers goals
  • Focused on software
    • Based on potential threats against software
• Identifying vulnerabilities
  • Identifying strengths and weaknesses of different access control mechanisms

Common Access Control Attacks

• Access aggregation attacks
  • Collecting multiple pieces of non-sensitive information and combining them to learn sensitive information
  • Reconnaissance
• Password attacks
  • Passwords are the weakest form of authentication
  • Dictionary attack
    • Attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords
  • Brute force attack
    • Attempt to discover passwords for accounts by systematically attempting all possible combinations of letters, numbers and symbols
    • Hybrid attack attempts a dictionary attack and then a brute force
  • Birthday attack
    • Focuses on finding collisions
    • The birthday paradox states that if there are 23 people in a room, there is a 50% chance that two of them will have the same birthday (month and day only, not year)
  • Rainbow table attack
    • Rainbow tables are large databases of precomputed hashes
    • Salt passwords to reduce effectiveness of rainbow tables
      • Salt is random bits added to a password before hashing it, stored in the same database holding the hashed password
      • Pepper is a large constant number stored elsewhere
  • Sniffer attacks
    • Capture packets sent over a network to analyze them
    • AKA snooping attack
    • Wireshark is a popular tool for this
    • Make sure you
      • Encrypt all sensitive data
      • Use one time passwords
      • Implement physical security
      • Monitor the network for signatures from sniffers
• Spoofing attacks
  • AKA masquerading
  • Pretending to be something else
  • Email spoofing
    • Spoofing the email address in the from field of an email
    • Phishing
  • Phone number spoofing
    • Caller ID
    • VoIP
• Social engineering attacks
  • Gaining the trust of someone using deceit to get them to betray organizational security
  • Shoulder surfing is also considered social engineering
    • Looking at someone’s screen while they access information
    • Use screen filters
  • Phishing
    • Getting users to open an attachment, click a link, or reply with personal information
    • Drive by downloads
      • Malware that installs itself without the user’s knowledge when the user visits a website
    • Spear phishing
      • Phishing where specific users or groups are targeted
    • Whaling
      • Senior or high level executives are targeted
    • Vishing
      • Phishing with a phone system or VoIP
• Smartcard attacks
  • Side channel attack
    • Passive, non-invasive attack that observes how the device functions

Summary of Protection Methods

• Control physical access to systems
  • If attackers can gain physical access to a server, they can steal it and do anything to it
• Control electronic access to files
• Create a strong password policy
• Hash and salt passwords
• Use password masking, never display cleartext passwords
• Deploy multifactor authentication
• Use account lockout controls
  • Lock an account after the incorrect password is entered a predefined number of times
  • Implement extensive logging
• Use last logon notification
  • Display information about the last time an account was successfully logged into
• Educate users about security

Chapter 13 is an important chapter that gets into controlling physical and logical access to assets, managing identification and authentication of people, devices and services, integrating identity as a third-party service, and managing the identity and access provisioning lifecycle.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components
• Chapter 12: Secure Communications and Network Attacks

Chapter 13: Managing Identity and Authentication

My key takeaways and crucial points

Comparing Subjects and Objects

• Subjects are active entities that access a passive object
• Objects are passive entities that provide information to active subjects

The CIA Triad and Access Controls

• Confidentiality
  • When unauthorized entities can access systems or data, it results in a loss of confidentiality
• Integrity
  • Unauthorized changes
• Availability
  • Data should be available to users and other subjects when they are needed

Types of Access Control

• Access control includes the following overall steps
  1. Identify and authenticate users or other subjects attempting to access resources
  2. Determine whether the access is authorized
  3. Grant or restrict access based on the subject’s identity
  4. Monitor and record access attempts
• Preventive access control
  • Attempts to thwart or stop unwanted or unauthorized activity from occurring
• Detective access control
  • Attempts to discover or detect unwanted or unauthorized activity
• Corrective access control
  • Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
• Deterrent access control
  • Discourages security policy violations
• Recovery access control
  • Repair or restore resources, functions, and capabilities after a security policy violation
• Directive access control
  • Direct, confine, or control the actions of subjects to force or encourage compliance with security policies
• Compensating access control
  • Provides an alternative when it isn’t possible to use a primary control
  • Increase the effectiveness of a primary control
• Administrative access control
  • Policies and procedures
• Logical/technical controls
  • Hardware or software mechanisms
• Physical controls
  • Items you can physically touch

Comparing Identification and Authentication

• Identification
  • The process of a subject claiming, or professing, an identity
• Authentication
  • Verifying the identity of the subject by comparing one or more factors against a database of valid identities
• Registration
  • When a user is first given an identity
• Authorization
  • Access to objects based on proven identities
  • Indicates who is trusted to perform specific operations
• Accountability
  • Auditing is implemented
  • The process of tracking and recording subject activities within logs
  • Relies on effective identification and authentication, but does not require effective authorization

Authentication Factors

• Type 1
  • Something you know
  • Ex: password, PIN
• Type 2
  • Something you have
  • Ex: token, phone, smartcard
• Type 3
  • Something you are
  • Ex: Fingerprint, retina scan
• Context-aware authentication
  • Based on location, time of day, mobile device
  • May implement a geo-fence so resources are only available on some devices if the device is in a specific place
  • Detecting impossible travel
• Passwords
  • Type 1
  • A static password stays the same for a length of time
  • Weakest form of authentication
  • Creating strong passwords
    • Max age
    • Complexity
    • Length
    • History
  • Passphrases are more effective
    • Longer strings of characters made up of multiple words
  • NIST 800-63B suggests comparing a user’s password against a list of commonly known simple passwords and rejecting the commonly known passwords
• Cognitive passwords
  • Challenge questions
  • Ex: What is your birth date? What is the name of your first pet?
  • Answers are commonly available on the internet
• Smartcards
  • Type 2
  • Certificates are used for asymmetric crypto like encrypting data or signing email
• Tokens
  • Type 2
  • Password-generating devices
  • Synchronous dynamic passwords
    • Time based, synchronized with an authentication server
  • Asynchronous dynamic passwords
    • Does not use a clock
    • Based on an algorithm and an incrementing counter
• Biometrics
  • Type 3
  • Using a biometric factor instead of a username requires a one-to-many search
    • Capturing a single image of a person and searching a database of many people looking for a match
  • Using a biometric factor as an authentication technique requires a one-to-one match
    • The user claims an identity and the biometric factor is checked to see if the person matches the claimed identity
  • Retina scans
    • Pattern of blood vessels at the back of the eye
    • Most accurate
  • Iris scan
    • Second-most accurate
  • Palm scans
    • Measure vein patterns in the palm
  • Hand geometry
    • Physical dimensions of the hand
  • Signature dynamics
    • Writes a string of characters
  • Keystroke patterns
    • How the subject uses a keyboard
• Biometric Factor Error Ratings
  • False rejection rates
    • Type I error
  • False acceptance rates
    • Type II error
  • Crossover error rate (CER)
    • Where false rejection and false acceptance percentages are equal
    • Related to sensitivity of scan/detection
• Biometric registration
  • Enrollment
  • A subject’s biometric factor is sampled and stored in a database
  • Known as a reference template/profile

Multifactor Authentication

• Must use multiple types/factors such as “something you know” and “something you have”
• Ex: Typing in a password (something you know), and then entering a synchronous dynamic password from a token (something you have)

Device Authentication

• Users can register their devices
• SecureAuth Identity provider (IdP)
• 802.1x

Implementing Identity Management

• Single sign on
  • Centralized access control
  • Allows a subject to be authenticated once on a system and to have access to multiple resources without authenticating again
• LDAP and centralized access control
  • Directory service
• LDAP and PKIs
  • LDAP and centralized access control systems can be used to support single sign on capabilities
• Kerberos
  • Key distribution center
    • KDC
    • Trusted third party that provides authentication services
  • Kerberos authentication server
    • Authentication service verifies or rejects the authenticity and timeliness of tickets
    • KDC
  • Ticket granting ticket
    • TGT
    • Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects
  • Ticket
    • Encrypted message that provides proof that a subject is authorized to access an object
    • Sometimes called a Service Ticket (ST)
  • Know these processes
  • The Kerberos login process
    1. User types a username and password into a client
    2. The client encrypts the username with AES for transmission to the KDC
    3. The KDC verifies the username against a database of known credentials
    4. The KDC generates a symmetric key that will be used by the client and the Kerberos server, encrypts it with a hash of the user’s password, and generates a time-stamped TGT
    5. The KDC transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client
    6. The client installs the TGT for use until it expires and decrypts the symmetric key using a has of the user’s password
  • The Kerberos ticket request steps
    1. The client sends its TGT back to the KDC with a request for access to the resource
    2. The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource
    3. The KDC generates a service ticket and sends it to the client
    4. The client sends the ticket to the server or service hosting the resource
    5. The server or service hosting the resource verifies the validity of the ticket with the KDC
    6. Once identity and authorization is verified, Kerberos activity is complete, and a session is opened

Federated Identity Management and SSO

• Single sign on
  • AKA SSO
• Security Assertion Markup Language
  • SAML
  • An XML-based language that is commonly used to exchange authentication and authorization (AA) information between federated organizations
• OAuth 2.0
  • Open standard used for access delegation
• Scripted access
  • Automated process to transmit logon credentials at the start of a logon session
• Credential management system
  • Storage space for suers to keep their credentials when SSO isn’t available
• Integrating identity services
  • IDaaS
    • Identity as a service
    • A third party service that provides identity and access management
• AAA Protocols
  • Identification
  • Authentication
  • Authorization
  • Accountability
• RADIUS
  • Remote authentication dial in service
  • Centralizes authentication for remote connections
• TACACS+
  • Terminal access control access control system
  • An alternative to RADIUS
  • + includes moving AAA services into separate processes, encrypting authentication information
  • RADIUS only encrypts password
• Diameter
  • An enhanced version of RADIUS

Managing the Identity and Access Provisioning Lifecycle

• Refers to the creation, management, and deletion of accounts
• Provisioning
  • Creation of new accounts and provisioning them with appropriate privileges
  • Initial creation is called enrollment or registration
  • Should include a background check
  • Many organizations use automated provisioning systems
• Account review
  • Periodically ensure that security policies are being enforced
  • Check for inactive accounts
  • Excessive privilege
    • When users have more privileges than their assigned work tasks dictate
  • Creeping privileges
    • A user account accumulating privileges over time as job roles and assigned tasks change
  • Excessive and creeping privileges violate the principle of least privilege
• Account revocation
  • Disable user accounts as soon as possible when employees leave the organization
  • HR personnel should have the ability to perform this task

Chapter 12 gets into implementing secure communications channels according to design for voice, multimedia, remote access, data communications, and virtualized networks.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements
• Chapter 11: Secure Network Architecture and Securing Network Components

Chapter 12: Secure Communications and Network Attacks

My key takeaways and crucial points

Secure Communications Protocols

• IPSec
  • VPNs
  • Either transport or tunnel mode
• Kerberos
  • Single sign on solution for users and provides protection for logon credentials
• SSH
  • End to end encryption
• Signal Protocol
  • End to end encryption for voice communications, videoconferencing, and text message services
• Secure Sockets Layer - SSL
  • Session oriented protocol that provides confidentiality and integrity
  • Superseded by TLS

Authentication Protocols

• Challenge Handshape Authentication Protocol (CHAP)
  • Encrypts usernames and passwords
• Password Authentication Protocol (PAP)
  • Transmits usernames and passwords in cleartext
• Extensible Authentication Protocol (EAP)
  • Customized authentication security solutions
• Protected Extensible Authentication Protocol (PEAP)
  • Encapsulates EAP in a TLS tunnel

Voice over Internet Protocol (VOIP)

• VOIP
  • Encapsulates audio into IP packets to support telephone calls over TCP/IP
• Vishing is VoIP phishing

Social Engineering

• Social engineering - The means by which an unauthorized person gains access or the trust of someone inside your organization
• Always err on the side of caution
• Always request proof of identity
• Require callback authorization on voice-only requests
• Classify information properly
• Have a company security policy that is known by employees
• Offer secure disposal or destruction for sensitive materials

Fraud and Abuse

• Phreakers - Attack phone systems like attackers abuse computer networks
• Restrict dial in and dial out features
• Define an acceptable use policy
• Deploy Direct Inward System Access (DISA)
• Telephone attack tools
  • Black boxes
    • Manipulate line voltages to steal long distance services
  • Red boxes
    • Simulate tones of coins being deposited into a pay phone
    • Just a tape recorder
  • Blue boxes
    • Simulate 2600 Hz tones to interact directly with telephone network trunk systems
  • White boxes
    • Control the phone system with a keypad

Manage Email Security

• X.400 standard for addressing and message handling
• Sendmail is most common SMTP for Unix systems
• Exchange is most common SMTP for Windows systems
• Avoid turning SMTP server into an open relay
  • SMTP server that does not authenticate senders
• Email security goals
  • Nonrepudiation
  • Privacy, confidentiality
  • Message integrity
  • Classify sensitive content
• Email security issues
  • Often plaintext
  • Common delivery mechanism for viruses
  • Spoofing source addresses is simple
  • Denial of service attacks
• Email security solutions
  • Secure Multipurpose Internet Mail Extensions (S/MIME)
    • X.509 certificates
  • Pretty Good Privacy (PGP)
    • Independently developed
  • Opportunistic TLS
• Fax security
  • Fax encryption, link encryption, activity logs, exception reports
  • Disable automatic printing

Remote Access Security Management

• Scraping
  • Automated tool interacts with a human interface
• Authentication protection matters
  • PAP, CHAP, EAP, PEAP, RADIUS, TACAS+
• Use callback and caller ID
• Dial Up Protocols
  • Point to Point Protocol (PPP)
    • Full-duplex
  • Serial Line Internet Protocol (SLIP)
    • Older technology
• Centralized remote authentication services
  • Remote Authentication Dial In User Service (RADIUS)
    • Centralizes authentication of remote connections
  • Terminal Access Controller Access-Control System (TACACS+)
    • Improves XTACACS by adding two factor authentication
    • Not backwards compatible

Virtual Private Network

• VPN is a communication tunnel
• Tunneling
  • Network communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol
  • Can be used if the primary protocol is not routable
• Can connect two individual systems, or two entire networks
• Common Protocols
  • PPTP, L2F, L2TP operate on data link layer
  • PPTP, IPSec are limited for use on IP networks
• Point to Point Tunneling Protocol (PPTP)
  • Initial tunnel negotiation process is not encrypted
• Layer 2 Forwarding Protocol (L2F) & Layer 2 Tunneling Protocol (L2TP)
  • Cisco proprietary
  • Not encrypted (L2F)
  • L2TP combines elements from PPTP and L2F, supports TACACS+ and RADIUS
• IP Security Protocol
  • Authentication Header (AH)
    • Provides authentication, integrity, nonrepudiation
  • Encapsulating Security Payload (ESP)
    • Provides encryption to protect the confidentiality of transmitted data, but can also perform limited authentication
    • In tunnel mode, the entire IP packet is encrypted

Virtual LAN

• Hardware imposed network segmentation, created by switches
• Used for traffic management
• Used to isolate traffic between network segments
• Deny by default, allow by exception
• Broadcast storm - A flood of unwanted Ethernet broadcast network traffic

Virtualization

• Indistinguishable from traditional servers and services from a user’s perspective
• Virtual Software
  • Virtual applications/Containers are software products deployed in a way that it is fooled into believing it is interacting with a full host OS
• Virtual Networking
  • Software defined networking (SDN)
  • Effectively network virtualization

Network Address Translation

• Private IP addresses are defined in RFC 1918
• Most networks employ NAT
• Private IP Addresses
  • 10.0.0.0 - 10.255.255.255 (Class A range)
  • 172.16.0.0 - 182.31.255.255 (Class B range)
  • 192.168.0.0 - 192.168.255.255 (Class C range)
• Stateful NAT
  • Maintains a mapping between requests made by internal clients, a client’s internal IP address, and the IP address of the internet service contacted
  • Maintains information about the communication sessions between clients and external systems
• Static NAT
  • Specific internal client IP addresses are assigned in a permanent mapping
• Dynamic NAT
  • Multiple internal clients access to a few leased public IPs
• Not directly compatible with IPSec, but there are versions that do work

Automatic Private IP Addressing

• Automatic Private IP Addressing (APIPA)
  • If DHCP fails to assign an address, this Windows feature assigns an address between 162.254.0.1 to 169.254.255.254, and a class B subnet mask
• You should be able to convert a 32 bit binary number to a single decimal number
• RFC 1918 covers loopback addresses
  • 127.x.x.x
  • Usually only 127.0.0.1 is used

Circuit Switching

• Dedicated physical pathway
• Pathway is permanent throughout a single conversation

Packet Switching

• When the message or communication is broken up into small segments and sent across intermediary networks to the destination
• Does not enforce exclusivity of communication pathways
• Circuit switching vs Packet switching

Virtual Circuits

• Private Virtual Circuits are like a dedicated leased line
  • Like a two way radio, or walkie talkie
• Switched Virtual Circuits are like dial up connections because a virtual circuit has to be created using best paths available before it can be used
  • More like shortwave, or ham radio

WAN Technologies

• Dedicated line is also known as leased line or point to point link
• Nondedicated line requires a connection to be established before data transmission can occur
• X25 WAN Connections
  • Predecessor to Frame Relay
• Frame Relay
  • Supports multiple PVCs over a single WAN carrier service connection
  • Committed information rate - guaranteed min bandwidth a customer receives
  • Requires a DTE/DCE at each connection point
• ATM
  • Asynchronous Transfer Mode
  • Fragments communications into fixed length 53 byte cells
  • Very efficient, high throughput
• Synchronous Digital Hierarchy and Synchronous Optical Network
  • SDH and SONET
  • Fiber optic high speed networking standards

Miscellaneous Security Control Characteristics

• Transparency
  • The characteristic of a service, control, or access mechanism that ensures that it is unseen by users
• Verify integrity
  • Uses a checksum, called a hash total
• Transmission mechanisms
  • Error correction
  • Retransmission

Security Boundaries

• A line of intersection between any two areas, subnets, or environments that have different security requirements or needs
• Exist between physical environment and logical environment
• Ex: A perimeter between a protected area and an unprotected one

Prevent or Mitigate Network Attacks

• DoS and DDoS
  • Resource consumption attacks
  • Two types
    • Exploiting vulnerability in hardware or software
    • Flood the victim’s communication pipeline
  • Attackers may use bots (aka zombies, agents) onto unwitting systems and use them to participate in traffic flooding
  • Collections of bots are called botnets
• Eavesdropping
  • Listening to communication traffic
• Impersonation/Masquerading
  • Pretending to be someone or something you are not, in order to gain unauthorized access to a system
  • Different from spoofing, where an entity puts forth a false identity but without any proof
• Replay attacks
  • Replaying captured traffic against a system
• Modification attacks
  • Captured packets are altered
• Address Resolution Protocol Spoofing
  • Provides false MAC addresses for requested IP address
  • Facilitates man in the middle attacks
• DNS poisoning, spoofing, hijacking
  • Poisoning and spoofing are known as resolution attacks - when an attacker alters the domain name to IP address mappings to redirect traffic to a rogue system
  • Homograph attacks - Register phony international domain names, letters in Cyrillic
• Hyperlink spoofing
  • Used to redirect traffic to a rogue system, or simply to divert traffic away from it’s intended destination
  • Alteration of hyperlink URLs in HTML code
• Related to phishing is pretexting, where one obtains personal information under false pretenses

Chapter 11 goes over a lot of networking topics including the OSI and TCP/IP models, IP networking, multilayer protocols, converged protocols, software-defined networks, wireless networks, and a whole bunch of hardware items.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures
• Chapter 10: Physical Security Requirements

Chapter 11: Secure Network Architecture and Securing Network Components

My key takeaways and crucial points

OSI Model

• Know the different levels of the OSI model in order
  • Application (7)
  • Presentation
  • Session
  • Transport
  • Network
  • Data Link
  • Physical (1)
  • Come up with a pneumonic device to remember them if you have to - All People Seem To Need Data Processing, for instance
• Encapsulation/Deencapsulation - The addition of a header and maybe a footer to the data received by each layer from the layer above it before it’s handed off to the layer below, and then the subsequent removal of those headers and footers and the received data flows back up the OSI model on the other end.
• Pieces of data have different names at different points in the OSI model
  • Protocol data unit - PDU. Application, presentation, session layer data units.
  • Segment or datagram - Transport layer data units.
  • Packet - Network layer.
  • Frame - Data link layer.
  • Bits - Physical layer.

Physical Layer

• Converts the frame into bits for transmission over the physical connection medium

Data Link Layer

• Formatting the packet from the network layer into the proper format for transmission
• Ethernet - 802.3
• Asynchronous Transfer Mode - ATM
• Fiber Distributed Data Interface - FDDI
• Address Resolution Protocol - ARP - Used to resolve IP addresses into MAC addresses
• Layer 2 Tunneling Protocol - L2TP
• Media Access Control address - MAC address, 48 bit binary address that identifies a device
  • First 3 bytes of the address denotes the vendor or manufacturer of the physical network interface
• Data link layer has two sub-layers
  • Logical Link Control - LLC
  • MAC

Network Layer

• Adding routing and addressing information to data
• Internet Group management Protocol (IGMP) - Multicast protocol
• The three most recognized non-IP protocols are IPX, AppleTalk, and NetBEUI
• Routers and bridge routers function at layer 3
• Routing protocols
  • Distance vector - keep a list of destination networks along with metrics of direction and distance measured in hops
  • Link state - keep a topography map of all connected networks and use this map to determine the shortest path to a destination network

Transport Layer

• Manages the integrity of a connection and controls the session
• Transmission Control Protocol - TCP
• User Datagram Protocol - UDP
• Secure Sockets Layer - SSL
• Transport Layer Security - TLS

Session Layer

• Establishes, maintains, terminates communication sessions between two computers
• Network File System - NFS
• Structured Query language - SQL
• Remote Procedure Call - RPC
• Simplex - One way communication
• Half-Duplex - Two way communication, one direction at a time
• Full-Duplex - Two way communication, two directions at the same time

Presentation Layer

• Transforms data from the application layer into a format that any system using the OSI model can understand
• Images, video, sound, ASCII, JPEG, etc.

Application Layer

• Interfacing user applications, network services, or the OS with the protocol stack
• The application is not located at this layer

TCP/IP Model

• AKA the DARPA or DOD model
• Only has four layers
  • Application - aka Process, maps to OSI Application, Presentation, Session layers
  • Transport - aka Host-To-Host, maps to OSI Transport layer
  • Internet - aka Internetworking, maps to OSI Network layer
  • Link - aka Network Access, maps to OSI Data Link, Physical layers
• Can be secured using VPN - virtual private network
  • L2TP, SSH, SSL/TLS VPNs, IPSec
  • TCP wrappers - Applications that can serve as a basic firewall by restricting access to ports and resources based on user IDs or system IDs

Transport Layer Protocols

• Ports 0 through 65535
  • Well known ports: 0 - 1023
  • Registered ports: 1024 - 49151
  • Random, dynamic, ephemeral ports: 49152 - 65535
• Transport Control Protocol - TCP
  • Connection oriented
  • Reliable sessions
  • Handshake process
    • Client sends a SYN packet to server
    • Server responds with SYN/ACK to client
    • Client responds with ACK to server
  • Uses FIN packets to terminate connections
  • Uses ACK packets to confirm that data has been received
  • Uses RST packets to forcibly close connections
  • Uses a graceful 4 packet teardown
    • Each side sends a FIN
    • Each side ACKs the FIN sent by the other
  • IP protocol header field value for TCP is 6
• User Datagram Protocol - UDP
  • Connectionless, best effort
  • Considered unreliable

Network Layer Protocols and IP Networking Basics

• IP provides route addressing for data packets, provides a means of identity and prescribes transmission paths
• IPv4 vs IPv6 - v4 uses 32 bit addresses, v6 uses 128 bits
• IP classes

• Class A network starting with 127 is set aside for loopback address
• Classless Inter-Domain Routing - CIDR, represents subnet mask as a slash and the number of mask bits instead of the full dotted-decimal mask notation
• Internet Message Control Protocol - ICMP
  • Used to determine the health of a network or link
  • Denial of service - DOS, a type of attack sometimes associated with ICMP - specifically ping of death, smurf attacks, and ping floods
  • ICMP type field values
    • 0 - Echo reply
    • 3 - Destination unreachable
    • 11 - Time exceeded
• Internet Group Management Protocol - IGMP, allows systems to support multicasting
• Address Resolution Protocol - ARP, used to resolve IP addresses into MAC addresses
  • Uses caching and broadcasting

Common Application Layer Protocols

• Telnet - TCP port 23, terminal emulation
• File Transfer Protocol - FTP TCP port 20 (passive data) and 21 (control connection) for exchanging files
• Trivial File Transfer Protocol - TCP TFTP port 69
• Simple Mail Transfer Protocol - SMTP TCP port 25, for transmitting email messages
  • POP3, TCP port 110
  • IMAP, TCP port 143
• Dynamic Host Configuration Protocol - DHCP UDP port 67 & 68, used to assign IP addresses and configuration settings to systems on bootup
• Hypertext Transfer Protocol - HTTP TCP port 80, used to transmit web page elements
• Secure Sockets Layer - SSL TCP port 443, adds a security protocol at the Transport layer to HTTP (making it HTTPS)
• Line Print Daemon - LPD TCP port 515, spool print jobs
• X Window - TCP port 6000-6063, GUI API for CLI OS
• Network File System - NFS TCP port 2049
• Simple Network Management Protocol - SNMP UDP port 161, port 162 for trap messages, network service to collect network health and status information
• DNS port 53
• Kerberos port 88
• L2TP port 1701
• PPTP port 1723
• RDP port 3389
• TCP/IP is considered a multilayer protocol because it is made up of many different protocols spread across multiple layers of the stack

DNP3

• Distributed Network Protocol is primarily used in electric and water utility management industries
• Used with SCADA

TCP/IP Vulnerabilities

• SYN flood attacks
• Spoofing
• Man in the middle
• Hijack
• Packet Sniffing - Capturing packets from the network in hopes of extracting useful information from the contents of the packet

Domain Name System (DNS)

• Top level domain - TLD, the .ca in www.thomasrayner.ca
• Registered domain name - The thomasrayner in www.thomasrayner.ca
• Subdomain or hostname - The www in www.thomasrayner.ca
• Primary authoritative name server - Hosts the original zone file for the domain
• Secondary authoritative name server - Used to host read-only copies of the zone file
• Zone file - Collection of resource records or details about the specific domain
• DNSSEC provides reliable authentication between devices during DNS operations
• DNS Poisoning - Falsifying the DNS information used by a client to reach a desired system
  • Involves attacking the real DNS server and placing incorrect information into its zone file
• Rogue DNS server - AKA DNS Spoofing, Pharming
• Pharming - malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site
• Domain hijacking - Changing the registration of a domain name without the authorization of the valid owner

Converged Protocols

• Converged Protocols - Merging of specialty protocols with standard protocols
• Fiber Channel over Ethernet - FCoE, for Storage Area Networks, or Network Attached Storage
• Multiprotocol Label Switching - MPLS, Directs data across a network based on short path labels rather than longer network addresses
• Internet Small Computer System Interface - iSCSI, Enables location independent file storage, transmission and retrieval over networks, low cost alternative to Fiber Channel
• Voice over IP - VoIP, Transports voice and/or data over a TCP/IP network
• Software Defined Networking - SDN, Complexities of a traditional network often forces an organization to stick with a single device vendor, so SDN offers a net network design that is programmable from a central location

Content Distribution Networks

• Content Distribution Networks - CDNs, a collection of resource services deployed in numerous data centers across the internet in order to provide low latency, high performance, and high availability of the hosted content

Wireless Networks

• Data emanation - Transmission of data across electromagnetic signals
• Emanations occur whenever electrons move

Securing Wireless Access Points

• Wireless cells - Areas within a physical environment where a wireless device can connect to an access point
• 802.11 is the IEEE standard for wireless network communications
  • 802.11i - Security standard
• Ad hoc mode - Any two wireless devices can communicate without centralized control authority
  • Infrastructure mode requires a wireless access point
• Stand alone mode - When there is a wireless access point connecting clients to each other but not to any wired resources
• Wired extension mode - When access points act as a connection point to wired networks
• Service Set Identifier - SSID, the name of a wireless network when a WAP is used
• Channels - Subdivisions of wireless frequencies

Securing the SSID

• SSID is broadcast by the WAP using beacon frames
• Hiding the SSID is not true security, because it is easily discoverable
• Site survey - The process of investigating the presence, strength, and reach of WAPs deployed

WEP

• Wired Equivalent Privacy - WEP
• Uses a predefined shared secret key
• Key is static and shared among all WAPs and devices
• Was cracked almost as soon as it was released
• Uses Rivest Cipher 4 (RC4)
• Weaknesses: static common key, and poor implementation of IVs (initiation vectors)

WPA

• WiFi Protected Access - WPA
• RSN - Robust Secure Network
• Based on LEAP and Temporal Key Integrity Protocol (TKIP)
• Use of a single static passphrase is the downfall of WPA
• LEAP and TKIP encryption options are now crackable

WPA2

• Full 802.11i implementation
• Based on AES encryption

802.1X/EAP

• Standard port-based network access control, ensures that clients cannot communicate until proper authentication has taken place
• Uses RADIUS or TACAVS, certs, smart cards, etc.
• Extensible Authentication Protocol - EAP, not a specific mechanism of authentication

PEAP

• Protected Extensible Authentication Protocol
• EAP methods within a TLS tunnel

LEAP

• Lightweight EAP
• Cisco proprietary
• Should be avoided when possible

MAC Filter

• A list of authorized wireless client interface MAC addresses
• Blocks access to nonauthorized devices

TKIP

• Temporal Key Integrity Protocol
• Improvements include key-mixing function that combines with the initialization vector with the secret root key before using RC4 to perform encryption
• Prevents replay attacks

Antenna Types

• Omnidirectional - Can send and receive signals in all directions
• Directional - Can send and receive in only one direction

WPS

• WiFi Protected Setup
• Simplifies the effort involved with adding new clients to a well secured wireless network
• Generally recommended to leave this turned off

Captive Portals

• An authentication technique that redirects a newly connected wireless client to a portal access control page

General WiFi Security Procedure

• Treat wireless as remote access
• Treat wireless as external access

Wireless Attacks

• War driving - Looking for wireless networks they aren’t authorized to access
• War chalking - Physically marking an area with information about the presence of a wireless network
• Replay - Retransmission of captured communications
• IV - Initialization vector, a mathematical and crypto term for a random number, becomes a point of weakness when it’s too short, exchanged in plaintext, or selected improperly
• Rogue access points - May be planted by an employee for convenience, or by an attacker
• Evil twin - When a hacker operates a false access point that will automatically clone an access point based on a client’s request to connect
  • Eavesdrops on the wireless signal for reconnect requests and spoofs it’s identity and offers a plaintext connection to the client

Secure Network Components

• Intranet - Private network, internal
• Extranet - Cross between internet and intranet
• Demilitarized zone - DMZ, extranet for public consumption
• Network access control - Controlling access to an environment
  • Prevent/reduce zero day attacks
  • Enforce security policy
  • Use identities to perform access control
• Firewalls filter traffic
  • Most effective against unrequested traffic and attempts to connect from outside the private network
  • Typically block viruses or malicious code
  • Static packet filtering firewalls filter traffic by examining message headers
  • Application gateway level firewalls are also called proxies, and are mechanisms that copy packets from one network to another
  • Circuit level gateway firewalls establish communication sessions between trusted partners
  • Stateful inspection firewalls, aka dynamic packet filtering, evaluate the state or the context of network traffic
  • Deep packet inspection firewalls filter the payload contents of a communication rather than only basing filtering on header values
  • Next gen firewalls are also composed of intrusion prevention systems, proxies, quality of service management, and more
  • Multihomed firewalls have at least two interfaces to filter traffic between two networks

Endpoint Security

• Each individual device must maintain local security
• Collision domain - A group of networked systems, and two or more systems may transmit simultaneously
• Broadcast domain - A group of networked systems, and all members receive a broadcast signal when one member transmits it
• Repeaters, concentrators, and amplifiers strengthen communication signals
• Hubs are multiport repeaters
• Modems are used for accessing the PSTN (publicly switched telephone network)
• Bridges connect two networks together
• Switches are intelligent hubs that know the addresses of systems connected to each outbound port
  • Can implement VLANs
• Routers control traffic flow on networks
• Brouters are combinations of routers and bridges, and connect systems using the same protocols
• Gateways connect networks that are using different network protocols
• Proxies are a form of gateway that does not translate across protocols

Cabling, Wireless, Topology, Communications, and Transmission Media Technology

• Coaxial cable
  • 10Base2 aka thinnet spans distances up to 185 meters and provides up to 10 Mbps
  • 10Base5 aka thicknet spans up to 500 meters and provides 10 Mbps
• Broadband and baseband
  • Baseband cables can only transmit a single signal at a time
  • Broadband cables can transmit multiple signals simultaneously
• Twisted pair
  • STP (shielded)
  • UTP (unshielded)
  • Crosstalk occurs when data transmitted over one set of wires is picked up by another set of wires due to radiating electromagnetic fields produced by the electrical current
  • Cat 5 - 100 Mbps
  • Cat 6 - 1000 Mbps
  • Cat 5e is enhanced Cat 5 designed to protect against crosstalk
• Plenum cable is sheathed with special material that does not release toxic fumes when burned, must be used to comply with building codes

Network Topologies

• Ring - Each system is a point on a circle
• Bus - Trunk or backbone, linear or a tree
• Star - Centralized connection device
• Mesh - Using numerous paths to connect each system to all other systems

General Wireless Concepts

• Spread spectrum means communication occurs over multiple frequencies
• Orthogonal frequency division multiplexing
  • Modulated signals are perpendicular and thus do not cause interference with each other
  • Ultimately OFDM requires a smaller frequency set but offers greater data throughput
• Bluetooth (802.15)
  • Personal area network (PAN)
  • 2.4 GHz frequencies
  • Bluejacking - Allows an attacker to transmit short messages to your device
  • Bluesnarfing - Allows hackers to connect with your devices without your knowledge
  • Bluebugging - Remote control over the feature and functions of a Bluetooth device
  • Typically a range of 30 - 100 feet
• RFID
  • Radio frequency identification
  • Current generated in an antenna when placed in a magnetic field
• NFC
  • Near field communication
  • Derivative of RFID
• Mobile devices
  • Keep nonessential information off portable devices
  • Keep systems locked and encrypted when possible

LAN Technologies

• Ethernet - Shared media LAN technology
  • IEEE 802.3
  • Individual units of Ethernet data are called Frames
• Token Ring - Token passing mechanism to control which system scan transmit data over the network medium
• Fiber distributed data interface - FDDI, high speed token passing technology. Copper Distributed Data Interface uses twisted pair cables.
• Digital signals are more reliable than analog signals over long distances or when interference is present
• Synchronous communications - Rely on timing or clocking mechanisms
• Asynchronous communications - Rely on a stop and start delimiter bit
• Broadcast - Communication to all recipients
• Multicast - Communication to multiple specific recipients
• Unicast - Communication to one specific recipient
• Carrier sense multiple access with collision avoidance - CSMA
  • Performs collision avoidance on LAN media access technologies
  • CA mode is used on 802.11 wireless networks and AppleTalk, attempts to avoid collisions by granting only a single permission to communicate at a time
  • CD mode is used by Ethernet networks and responds to collisions by having each member of a collision domain wait for a short but random period of time before starting over

Chapter 10 covers implementing site and facility security controls, designing sites and facilities, and generally protecting things from physical threats.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities
• Chapter 9: Security Vulnerabilities, Threats, and Countermeasures

Chapter 10: Physical Security Requirements

My key takeaways and crucial points

Apply Security Principles to Site and Facility Design

• Secure facility plan - Outlines the security needs of your organization and emphasizes methods or mechanisms to employ to provide security
• Critical path analysis - Identifying relationships between mission-critical applications, processes, and operations
• Technology convergence - The tendency for various technologies, solutions, utilities, and systems to evolve and merge over time

Site Selection

• Visibility - Where are the closest emergency services located? Are there unique hazards? Locations of security cameras.
• Natural disasters
• Facilities design - Crime Prevention through Environmental Design (CPTED)

Implement Site and Facility Security Controls

• Administrative physical security controls - Include facility construction and selection, personnel controls, awareness training, emergency response
• Technical physical security controls - Include access controls, intrusion detection, alarms, monitoring, heating, ventilation, HVAC, power supplies, fire detection and suppression
• Physical physical security controls - Includes fences, lighting, locks, mantraps, dogs, guards
• Functional order controls should be used:
  1. Deterrence - Boundary restrictions
  2. Denial - Locked vault doors
  3. Detection - Using motion detectors
  4. Delay - Cable lock on a laptop

Equipment failure

• Service level agreements (SLA) - Defines vendor response time
• Mean time to failure (MTTF) - Expected typical functional lifetime of the device
• Mean time to repair (MTTR) - The average length of time required to perform a repair
• Mean time between failures (MTBF) - Estimation of the time between the first and any subsequent failures

Wiring Closets

• An element of cable plant management policy
• Entrance facility - aka demarcation point, where the cable enters the building
• Equipment room - Main wiring closet
• Backbone distribution system - Between equipment room and telecommunication rooms
• Telecommunications room - Serves the connection needs of a floor or a section of a large building
• Horizontal distribution system - Between the telecommunication room and work areas

Server Room

• The more human incompatible a server room is, the more protection it offers against casual and determined attacks
• Walls should have one-hour minimum fire rating
• Datacenter could be a single tenant or multitenant
• Smartcards - Credit-card-sized, IDs, badges, security passes with an embedded magnetic strip, bar code, or integrated circuit chip
• Memory cards - Machine-readable ID cards with a magnetic strip
• Proximity reader - Passive device, a field-powered device, or a transponder
• Passive device - Like antitheft devices found in DVDs
• Intrusion detection system - Systems designed to detect a breach or attack
• Masquerading - Using someone else’s security ID to gain entry into facilities
• Piggybacking - Following someone through a secured gate or doorway without being identified or authorized personally
• Emanation - Electromagnetic signals or radiation that can be intercepted by unauthorized individuals
• Faraday cage - An area designed with an external metal skin that surrounds the area on all sides and blocks electromagnetic interference (EMI)
• White noise - Random sounds, signal, or process that can drown out meaningful information
• Control zone - is an implementation of a Faraday cage or white noise generator or both to protect a specific area

Media storage facilities

• Data remnants - The remaining data elements left on a storage device after a standard deletion or formatting
• Have a librarian or custodian
• Implement drive sanitization or zeroization
• Verify data integrity with hash-based integrity checks
• Limit storage access, especially to evidence

Restricted and work area security

• Shoulder surfing - Gathering information from a system by observing the monitor or the use of the keyboard by the operator
• Sensitive Compartmented Information Facility (SCIF)

Utilities and HVAC Considerations

• Uninterruptible power supply - UPS. A type of self-charging battery that can be used to supply consistent clean power
• Line interactive UPS have surge protectors, voltage regulators
• Fault - Momentary loss of power
• Blackout - A complete loss of power
• Sag - Momentary low voltage
• Brownout - Prolonged low voltage
• Spike - Momentary high voltage
• Surge - Prolonged high voltage
• Inrush - Initial surge of power associated with connecting to a power source
• Noise - A steady interfering power disturbance or fluctuation
  • EMI - electromagnetic interference has two types
    • Common mode noise is generated by a difference in power between the hot and ground wires
    • Traverse mode noise is generated by a difference in power between the hot and neutral wires
  • Radio frequency interference - RFI, electrical appliances generate RFI like fluorescent lights
• Transient - A short duration of line noise
• Clean - Nonfluctuating pure power
• Ground - The wire in an electrical circuit that is grounded

Temperature, Humidity, and Static

• Humidity in a computer room should be maintained between 40-60%
• 1500 volts causes destruction of data stored on hard drives

Water Issues (e.g., Leakage, Flooding)

• Water and electricity don’t mix

This is seriously the only thing I have highlighted in this three paragraph section of the book

Fire Prevention, Detection, and Suppression

• Protecting personnel from harm should always be the most important goal of any security or protection system
• Fire extinguisher classes

• Fixed temperature detection - Triggers suppression when a specific temperature is reached
• Rate of rise detection - Triggers detection if a temperature increases at a specific speed
• Flame actuated system - Triggers suppression based on infrared energy of flames
• Smoke actuated system - Uses photoelectric or radioactive ionization sensors
• Water suppression systems
  • Wet pipe - Always full of water
  • Dry pipe - Air escapes opening a water valve
  • Deluge - A form of dry pipe that uses larger pipes
  • Preaction - Combination of dry and wet pipe, system is dry until initial stages of fire when pipes are filled with water. Water is only released after sprinkler head activation triggers are melted by heat.
    • Most appropriate water-based system for environments with both humans and computers
• Water system failures are most often caused by human error
• Gas discharge systems
  • More effective than water discharge, but shouldn’t be used where people are located
  • They deploy halon (not since it was banned), Co2, or FM-200 (halon replacement)

Implement and Manage Physical Security

• Fences 3-4 feet high deter casual trespassers
• Fences 6-7 feet high discourage most intruders except determined ones
• Fences 8 feet or more high with three strands of barbed wire deter even determined intruders
• Gates - Controlled exit and entry points in a fence
• Turnstile - Restricts movement in one direction
• Mantrap - A double set of doors that is often protected by a guard
• Perimeter protection needs lights with 2 foot-candles of power
• If a lighted area is 40 feet in diameter, poles should be 40 feet apart
  • 5 feet apart in parkades
• You need to be able to handle visitors
• Lock - A crude form of identification and authorization mechanism
• Electronic access control lock - Has an electromagnet to keep the door locked, a credential reader for authentication, and a sensor to reengage the electromagnet when the door is closed
• Local alarm systems - Must broadcast an audible alarm heard up to 400 feet away (up to 120 decibel)
• Central station system - Usually silent locally, but offsite monitoring agents are notified
• Auxiliary station - Emergency services are notified
• Closed circuit TV is not an automated detection and response system, it needs people watching it
• Human safety is always the most important factor
• Privacy means protecting personal information from discloser - NIST 800-122, GDPR
  • You are usually obliged to have physical security controls

Chapter 9 gets into assessing and mitigating the vulnerabilities of security architectures, designs, and solution elements. It also talks about assessing and mitigating vulnerabilities in web-based systems, mobile systems, and embedded devices.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications
• Chapter 8: Principles of Security, Models, Design, and Capabilities

Chapter 9: Security Vulnerabilities, Threats, and Countermeasures

My key takeaways and crucial points

Processor

• Computer architecture - Engineering discipline related to design and construction of computer systems at a logical level
• Processor - Central Processing Unit (CPU). The chip that governs all major operations and either performs or coordinates calculations that allow a computer to perform its tasks
  • Execution types:
    • Multitasking - Handling two or more tasks simultaneously
    • Multicore - A single microprocessor chip that contains independent execution cores
    • Multiprocessing - A computing system with more than one CPU uses the power of more than one processor to complete a multithreaded operation
    • Massively parallel processing - MPP. Hundreds or more processors with their own OS and resources, coordinated by software to perform in unity
    • Multiprogramming - Similar to multitasking
    • Multithreading - Multiple concurrent tasks are performed within a single process - multitasking involves multiple processes
  • Processing types:
    • Single state - Use the policy mechanisms to manage information at different levels
    • Multistate - Implement higher levels of security by using mechanisms
      • Protection rings - Organize code and components in an OS into concentric rings.
        • Deep inside ring is 0, highest level of privilege and can access anything.
        • Kernel - Part of the OS that remains resident in memory so it can be run on demand at any time. Lives in ring 0.
        • Ring 1 houses the rest of the OS
        • Ring 2 is somewhat privileged, I/O drivers and other system utilities reside
        • Applications and programs live in Ring 3
      • Process states - Aka operating states
        • Supervisor state - privileged, all access
        • Problem state - Associated with user mode where privileges are low and access requests must be checked
        • Ready - Process is ready to resume or start processing as soon as it is scheduled
        • Waiting - Process is waiting for a resource, waiting for continued execution but a device or access request is to be serviced first
        • Running - Executing on the CPU and goes until it finishes or it’s time slice expires or it is blocked
        • Supervisory - When the process must perform an action that requires privileges that are greater than the problem state’s set of privileges
        • Stopped - When a process finishes or errors out, it becomes “stopped” so the OS can recover memory and other resources
• Security modes
  • See chapter 1 for data classification
  • Dedicated mode - Single state system where each user must have a security clearance that permits access to all information on the system, and need to know for all information
  • System high mode - Each user needs a valid security clearance that covers all information on the system, but only need to know for some information
  • Compartmented mode - Same as above, but they only need approval to access some information, not all
  • Multilevel mode - Same as above, except users don’t need clearance for all information, just pursuant to it’s classification
• Operating modes
  • User mode - The basic mode a CPU uses when executing user applications
  • Privileged mode - Gives the OS access to the full range of instructions supported by the CPU

Memory

• Read-Only memory - ROM. Memory the PC can read but cannot change
• Programmable Read-Only memory - PROM. Similar to a ROM chip but can be programmed separately from manufacturing, but only once
• Erasable Programmable Read-Only memory - EPROM. Ultraviolet EPROMs can be erased with a light
• Electronically Erasable Programmable Read-Only memory - EEPROM. Electronically erasable PROM
• Flash memory - Derivative from EEPROM, can be electronically erased and rewritten, can be erased in blocks or pages
• Random Access Memory - RAM. Readable and writable memory that contains information a computer uses during processing
  • Real memory - The largest RAM storage resource available, made of dynamic RAM chips
  • Cache RAM - Caches that improve performance by taking data from slower devices and storing it temporarily in faster devices when repeated use is likely
• Registers - Limited onboard memory in a CPU
• Memory addressing
  • Register addressing - An identifier for a register
  • Intermediate addressing - A way of referring to data that is supplied to the CPU as part of an instruction
  • Direct addressing - CPU is provided with an actual address of the memory location to access
  • Indirect addressing - Similar to direct, however the address supplied doesn’t contain the actual value, it contains another memory address
  • Base+Offset addressing - Uses a value stored in one register as the base from which to begin counting, and then adds the offset supplied to retrieve a value from that computed memory location
• Secondary memory - Usually magnetic, optical, flash-based, or other storage that contains data not immediately available for the CPU - Hard drives, DVDs, etc.

Storage

• Data storage devices - Used to store information that may be used any time after it’s written
• Primary vs secondary - Primary storage is RAM. Secondary is long-term storage like hard drives.
• Volatile vs non-volatile - Volatile devices lose their data when they lose power
• Random vs sequential - Random access storage allow an OS to read immediately from any point. Sequential storage doesn’t.
• Storage media security
  • Data remanence - Data may remain on devices after it is erased
  • SSDs can only be sanitized by destroying them
  • Prone to theft, important to use full disk encryption

Input and Output Devices

• Monitors - Primary concern is shoulder surfing - looking over the shoulder or at the screen to observe information displayed
• Printers - Users may leave sensitive printouts, some printers store data locally and can re-print data
• Keyboards/mice - Key loggers may intercept and record key strokes and transmit them, revealing passwords and other sensitive information
• Firmware - Software stored on a ROM chip
  • BIOS - Basic input/output system. Contains OS independent primitive instructions that a computer needs to start up and load the OS from disk.
  • Device firmware also needs limited processing

Client-Based Systems

• Client-side attack - Any attack that is able to harm a client, may occur over any protocol
• Applets - Code objects that are sent from a server to a client to perform some action - mini programs
• Local cache - Anything that is temporarily stored on the client for future reuse - see ARP caches, the chapter goes into a ridiculous amount of detail on ARP attacks and DNS cache poisoning

Server-Based Systems

• Data flow control - The movement of data between process, between devices, across a network, or over communication channels
  • Making sure endpoints are not overwhelmed with traffic - maybe by using a load balancer
• Denial of service attack - Attacking the availability of a resource or system, often by attacking data flow control

Database Systems Security

• Aggregation - Combining records from one or more tables to produce potentially useful information
  • An attacker might be able to take multiple pieces of seemingly innocuous information, and combine them to infer something more dangerous
• Inference - Combining several pieces of non-sensitive information to gain access to information that should be classified at a higher level
• Data mining & data warehousing - Warehouses are large databases, data dictionaries are used for storing critical information about data, mining allows analysts to comb through warehouses and look for correlated information
• Data analytics - The science of raw data examination with the focus of extracting useful information out of the bulk information set
  • Big data - Collections of data that have become so large that traditional means of processing aren’t enough
• Large-Scale parallel data systems - Systems designed to perform numerous calculations simultaneously

Distributed Systems and Endpoint Security

• Distributed architecture - The concept of a client-server model network
  • Email needs to be screened
  • Download/upload policies must be created
  • Systems must be subject to robust access controls
  • Restrict user-interface mechanisms and database management systems
  • File encryption may be appropriate, but full disk encryption is also needed
  • Separate and isolate processes that run in user and supervisory mode
  • Protection domains should be created
  • Sensitive materials must be labeled
  • Files on user machines should be backed up
  • Users need regular security awareness training
  • Computers and their storage media require protection from environmental hazards
  • User computers should be included in disaster recovery and business continuity planning
  • Developers of custom software need to take security into account
• Cloud computing - Referring to computing where processing and storage are performed elsewhere over a network connection rather than locally - Depends on virtualization
  • Type 1 hypervisor - Native or bare-metal hypervisor, there is no host OS, the hypervisor installs directly on the hardware
  • Type 2 hypervisor - Hypervisor software is installed on top of another OS
  • Cloud storage - Using storage provided by a cloud vendor to host data for an organization
  • Elasticity - The flexibility to expand or contract based on need
  • Platform as a service - PaaS. Providing a computing platform and software stack as a virtual service
  • Software as a service - SaaS. Providing on-demand online access to software applications without need for local installation
  • Infrastructure as a service - IaaS. Providing on-demand outsourcing options for operating solutions
  • Hosted solution - A deployment concept where the organization must license software and then operates and maintains the software - the hosting provider takes care of the hardware that supports the organization’s software
  • Private cloud - Service within a corporate network and isolated from the internet, internal use only
  • Public cloud - Services are accessible to the general public over an internet connection, usually paid for with subscriptions or pay-per-use, could be free. Data is separated and isolated from other customers, but the overall purpose of the cloud is the same for all customers
  • Hybrid cloud - A mix of public and private
  • Community - A shared environment used and paid for by a group of users or organizations for shared benefit
• Grid computing - Parallel distributed processing that groups processing nodes to work towards a specific goal
• Peer to peer - Share tasks and workloads among peers, like grid computing, but there is no central management system

Internet of Things

• Smart devices - Mobile devices that have customization options, apps, on-device or in-cloud AI
• Internet of things - IoT. A class of smart devices that are internet-connected to provide automation, remote control, or AI processing to traditional or new devices
• Often not designed with security in mind

Industrial Control Systems

• Industrial control system - ICS. Computer management device that controls industrial processes an machines
• SCADA - Supervisory control and data acquisition. Can operate as a stand-alone device, or networked together with other systems.

Assess and Mitigate Vulnerabilities in Web-Based Systems

• Open web application security project - OWASP. A nonprofit security project focused on improving security for online applications. Also a large community.
  • See their Top 10 critical attacks for an idea of what’s hot right now
• Injection attack - Exploitation where an attacker can submit code to a system to modify its operations
  • SQL injection are related to SQL queries and databases
• Input validation - Limiting the types of data a user provides in a form. Input sanitization can happen here and should include escaping metacharacters.
  • Escaping metacharacters - The process of marking the metacharacter as merely a normal or common character, such as a letter or number, thus removing it’s special programmatic powers
• Limit account privileges - the database account that the web server uses should only have the rights to do the limited operations it’s expected to perform
• Directory traversal - An attack that enables an attacker to jump out of the web root directory structure and into other parts of the filesystem hosted by the web server
• Cross-site request forgery - XSRF. An attack similar to XSS (cross site scripting) where the purpose is to trick the user or browser into performing actions they had not intended or would not have authorized

Assess and Mitigate Vulnerabilities in Mobile Systems

• Malicious insiders can bring in malicious code from outside, or exfiltrate information using mobile devices
• Eavesdropping is possible
• Full device encryption - Encrypt the entire device so that if it is lost, the data should be safe if the device is not unlocked
• Remote wiping - The ability to sanitize a device if it is lost or stolen, without having physical access to the device
• Lockout - When a user fails to provide their credentials after repeated attempts, the device may implement a cooldown period, or become locked forever
• Screen locks - Designed to prevent someone from casually picking up a device and using it
• GPS - Global Positioning System. Can be used to track the location of devices
• Application control - Device management solution that allows administrators to limit which applications can be installed on a device
• Storage segmentation - Artificially compartmentalizing types of data on a storage medium - ex. separating the device OS and installed apps
• Asset tracking - Management process used to maintain oversight over an inventory
• Inventory control - Hardware asset tracking, and the concept of using a mobile device as a means of tracking inventory in a warehouse
• Mobile device management - Software solution for managing mobile devices over a communications channel
• Device access control - Blocking unauthenticated access to a device
• Removable storage - Should also be encrypted, if allowed
• Disabling unused features - Remove apps and features that aren’t needed for business tasks or common personal use
• Key management - Most crypto failures are from poor management, not poor algorithms. Have good key selection, based on quality random numbers.
• Credential management - Storage of credentials in a central location
• Geotagging - Using GPS to embed the location of a photo or other file
• Application allow-listing - Prohibiting unauthorized software from executing. Deny by default, implicit deny.
• BYOD - Bring your own device.
• COPE - Corporately owned, personally enabled.
• CYOD - Choose your own device.
• Data ownership - Commingling personal data and business data is likely to occur when using personal devices for business tasks, or vice versa.
  • Segmentation can help, isolation
• Acceptable use policy - Critical to define what is and is not acceptable usage while mixing personal activities and business tasks

Assess and Mitigate Vulnerabilities in Embedded Devices and Cyber-Physical Systems

• Embedded system - A computer implemented as part of a larger system, providing a limited set of specific functions related to the system itself
• Static systems - A set of conditions that don’t change
• Cyber-physical systems - Offer computational means to control something in the physical world, often tied to IoT
• Security by:
  • Network segmentation - Keep these devices isolated from other systems
  • Security layers - Devices with different levels of sensitivity are grouped together and isolated
  • Application firewalls - Define a strict set of communication rules for a service and all users
  • Manual updates - Used in static environments to ensure that only tested updates, patches, authorized changes are implemented
  • Firmware version control - same as above, manual updates
  • Wrappers - Something used to enclose or contain something else, related to Trojan horse malware, but also encapsulation solutions
  • Monitoring - All devices must be monitored
  • Control redundancy and diversity - Especially for systems that are dangerous or whose outages may cause loss of life, you must be able to sustain an attack or outage that diminishes capacity

Essential Security Protection Mechanisms

• Software should not be trusted
• Layering - Implement a structure similar to a ring model
• Abstraction - Fundamental to object oriented programming, users of an object don’t need to know the details of how the object works
• Data hiding - This is different from security by obscurity which is a bad practice. This is putting data in a location that it is not unnecessarily visible.
• Process isolation - Requires the OS to provide separate memory spaces for each process’s instructions and data
• Hardware segmentation - Similar to process isolation in purpose, but for hardware

Security Policy and Computer Architecture

• Principle of least privilege - Discussed more in Chapter 13, users and resources should never have any more privileges than they need to do their assigned function. Avoid over-provisioning permissions.
• Separation of privilege - Builds on least privilege, using granular access permissions for each type of privileged operation so some can be assigned and others can be restricted - like separation of duties
• Accountability - You must be able to log everything and determine who or what is responsible for activities performed

Common Architecture Flaws and Security Issues

• Covert channels - A method that is used to pass information over a path that is not normally used for communication
  • Covert timing channel - Conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner - hard to detect
  • Covert storage channel - Conveys information by writing data to a common storage area where another process can read it
• Attacks based on design or coding flaws and security issues - See the OWASP section above
• Trusted recovery - Ensures all security controls remain in place in the event of a crash
• Input and parameter checking - Input sanitization, avoid buffer overflows, and many other issues addressed above
• Maintenance hooks and privileged programs - Entry points into a system that are known only by the developer of the system, also known as back doors
• Incremental attacks - Slow, gradual attack in increments
  • Data diddling - When an attacker gains access to a system and makes small, random, incremental changes to data during it’s lifecycle rather than something big and obvious
  • Salami attack - Systemic whittling at assets in accounts or other records with financial value where small amounts are deducted from balances regularly
• Timing, state changes, and communication disconnects - Computers operate with precision and that’s a weakness
  • Time of check - TOC, the time at which a subject checks the status of an object
  • Time of use - TOU, the time at which a subject uses an object
  • TOCTTOU attack - Time of check to time of use attack, replacing a data file after the identity has been verified, but before it has been used by a subject
• Electromagnetic radiation - EM radiation, reduce eminence through shielding

Chapter 8 covers implementing and managing engineering processes using secure design principles, the fundamental concepts of security models, how to select controls based on security requirements, and understanding security capabilities of information systems.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms
• Chapter 7: PKI and Cryptographic Applications

Chapter 8: Principles of Security, Models, Design, and Capabilities

My key takeaways and crucial points

Objects and Subjects

• Subject - The user or process that makes a request to access a resource
• Object - The resource a subject wants to access
• Transitive trust - If A trusts B, and B trusts C, then A inherits trust of C through B
  • May enable bypassing of restrictions or limits between A and C

Closed and Open Systems

• Closed system - Designed to work well with a narrow range of other systems
• Open system - Designed using agreed-upon industry standards
• This is different than closed/open source
• Attacking a closed system is harder

Techniques for Ensuring CIA

• Confinement - Allows a process to read from and write to only certain memory locations and resources
• Bounds - Processes are assigned an authority level
  • Bounds of a process consist of limits set on the memory locations and resources it can access
• Isolation - Enforcing access bounds. Used to protect the operating environment, the kernel of the OS, and other applications
• Controls - Uses access rules to limit the access of a subject to an object
  • MAC - Mandatory access control
  • DAC - Discretionary access control
  • Chapter 14 is all about this topic
  • Each subject has attributes that define clearance/authority/access to resources
  • Each object has attributes that define it’s classification
• Trust and Assurance - Security issues should not be added on as an afterthought
  • Trusted system - One where all protection mechanisms work together to process sensitive data for different users while maintaining a secure computing environment.
  • Assurance - The degree of confidence in the satisfaction of security needs
  • When change occurs, the system needs to be reevaluated

Understand the Fundamental Concepts of Security Models

• Security model - A way for designers to map abstract statements into a security policy
• Token - A separate object associated with a resource and describes its security attributes
• Capabilities list - Maintains a row of security attributes for each controlled object
• Security label - A permanent part of the object to which it’s attached
• Trusted computing base - TCB. A combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy
• Security perimeter - An imaginary boundary that separates Trusted Computing Base from the rest of the system
• Trust paths - Secure channels for Trusted Computing Base to talk to the rest of the system
• Reference monitor - Part of TCB that validates access to every resource. Stands between every subject and object, verifying requests
• Security kernel - Collection of components in TCB that work together to implement reference monitor functions
• State machine model - Describes a system that is always secure no matter what state it’s in
• State - A snapshot of a system at a specific moment in time
• Information flow model - Focuses on the flow of information based on a state machine model
  • Discussed later in this chapter
  • Bell-LaPadula - Concerned with information flow from high security level to a low security level
  • Biba - Concerned with preventing information flow from a low security level to a high security level
• Noninterference - Concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level
  • Isolation
• Take-Grant model - Employs a directed graph to dictate how rights are passed from one subject to another, or from a subject to an object
• Access Control Matrix - A table of subjects and objects that indicates the actions or functions each subject can perform on each object
  • Each row has a capabilities list - Access Control List (ACL). Tied to the subject and lists valid actions that can be taken on each object
• Lattice-Based Access Control
  • Simple property - Concerned with reading data
  • Star property - Concerned with writing data

Bell-LaPadula Model

• US Department of Defense developed in 1970s
• Concerned with protecting classified information
• A subject with any level of clearance can access resources at or below its clearance level
• Prevents leaking or transfer of classified information to less secure clearance levels
• Does not address integrity or availability
• No read up (simple property)
• No write down (star property)
• Uses an access control matrix (discretionary property - need to know)

Biba Model

• Integrity is more important than confidentiality
• Also built on state machine concept, based on information flow, and is multilevel
• Very similar to Bell-LaPadula, except inverted
• No read down (simple property)
• No write up (star property)

Clark-Wilson Model

• Does not use lattice structure, but rather uses access triple control
  • Subject
  • Program/transaction
  • Object
• Objects are accessed only through programs
• Constrained data item - CDI. Any data item whose integrity is protected by the security model
• Restricted interface model - Elements of an interface are limited based on a subjects rights and authorization

Brewer and Nash Model (aka Chinese Wall)

• Changes dynamically based on a user’s previous activity
• Chinese Wall model - Creates a class of data that defines which security domains are potentially in conflict and prevents subjects with access to one domain that belongs to a specific conflict class from access any other information in the conflict class
• Protects from conflicts of interest

Goguen-Meseguer Model

• Integrity model, less well known as Biba
• Foundation of noninterference conceptual theories

Sutherland Model

• Integrity model, focused on preventing interference

Graham-Denning Model

• Focused on the secure creation and deletion of both subjects and objects
• A collection of eight protection rules or actions that define boundaries (Only one with all eight)
  • Create an object
  • Create a subject
  • Delete an object
  • Delete a subject
  • Provide read access right
  • Provide grant access right
  • Provide delete access right
  • Provide transfer access right

Select Security Controls Based On Systems Security Requirements

• Need a tested and technical evaluation
• Need a formal comparison of its design and security criterial
• Sometimes you may need a trusted third party to provide a seal of approval
• Trusted Computer System Evaluation Criteria - TCSEC. Standards to attempt to specify minimum security criteria for various categories of use
  • Classes and required functionality
    • D - Minimal protection
    • C1 - Discretionary protection
    • C2 - Controlled access protection
    • B1 - Labeled security
    • B2 - Structured protection
    • B3 - Security domains
    • A1 - Verified protection
• Common Criteria - Represents a global effort that is similar to TCSEC in function/purpose
  • Assurance levels
  • EAL1 - Functionally tested
  • EAL2 - Structurally tested
  • EAL3 - Methodically tested and checked
  • EAL4 - Methodically designed, tested, and reviewed
  • EAL5 - Semi-formally designed and tested
  • EAL6 - Semi-formally verified, designed, and tested
  • EAL7 - Formally verified, designed, and tested
• Industry and International Security Implementation Guidelines
  • Payment Card Industry Data Security Standard (PCI DSS)
  • International Organization for Standardization (ISO)
• Certification - Comprehensive evaluation of security features of an IT system
• Accreditation - A formal declaration by the designated approval authority that an IT system is approved to operate in a particular security mode
  • Often an iterative process

Understand Security Capabilities of Information Systems

• Virtualization - Used to host one or more operating systems within the memory of a single host computer
• Trusted Platform Module - TPM. Specification for a cryptoprocessor chip on a mainboard, and the general name for implementation of the spec
  • Stores and processes cryptographic keys
• Hardware security module - HSM. A cryptoprocessor used to manage/store digital encryption keys, accelerate crypto operations, support faster digital signatures, improve authentication
• Interfaces - Implemented with an application to restrict what users can do or see based on their privileges
• Fault tolerance - The ability of a system to suffer a fault but continue to operate

Chapter 7 is all about applying cryptography. It covers the cryptographic lifecycle, methods, Public Key Infrastructure, and key management practices. It also covers Digital signatures, nonrepudiation, integrity, cryptanalytic attacks, and Digital Rights Management.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets
• Chapter 6: Cryptography and Symmetric Key Algorithms

Chapter 7: PKI and Cryptographic Applications

My key takeaways and crucial points

Public and Private Keys

• Every user maintains a public key and a private key in asymmetric crypto
• Private key is preserved for the sole use of the individual who owns the key
• Public key is available to anyone they want to communicate with
• RSA
  • Choose two large prime numbers approximately 200 digits each labeled p and q
  • Multiply them together n = p * q
  • Select a number e that is:
    • Less than n
    • e and (p - 1)(q - 1) are relatively prime (no common factors)
  • Find d that is (ed - 1) mod (p - 1)(q - 1) = 1
  • Distribute e and n as the public key and keep d as the secret private key
• Key length is the most important parameter
  • RSA key length: 1024 bits
  • DSA key length: 1024 bits
  • Elliptical curve key length: 160 bits
• El Gamal
  • Major disadvantage - this algo doubles the length of any message it encrypts
• Elliptical Curve
  • Better for low power devices like phones
  • 1024 bit RSA key is cryptographically equivalent to 160 bit elliptical curve

Hash Functions

• Hash functions - Take a potentially long message and generate a unique output value derived from the content of the message
  • Message digest - The output of a hash function
• Basic hash function requirements
  • Input can be any length
  • Output has a fixed length
  • Should be relatively easy to compute for any input
  • Hash function is one-way which means it is extremely hard to determine the input when provided the output
  • Collision free - hard to find two inputs that produce the same message digest
• SHA - Secure Hash Algorithm
  • SHA-1 produces 160 bit digest
  • Processes 512 bit blocks
  • Pads messages to fit
  • SHA-256 produces 256 bit messages using 512 bit block size
  • SHA-224 uses truncated version of SHA-256 hash to make a 224 bit message with 512 bit block size
  • SHA-512 produces 512 bit message digests using a 1024 bit block size
  • SHA-384 uses truncated SHA-512 to produce 384 bit digest with 1024 bit block size
• MD5
  • 512 bit blocks
  • 4 distinct rounds of computation
  • Message length must be 64 bits less than a multiple of 512 bits
    • Uses padding to make up the difference
• Hash of Variable Length (HAVAL) - MD5 variant
  • Hash value length: 128, 160, 192, 224, 256 bits

Digital Signatures

• Enforces nonrepudiation
• Assures the recipient that the message was not altered while in transit
• If Alice wants to sign a message she’s sending to Bob…
  • Alice generates a message digest of the original plaintext using a hashing algo
  • Alice encrypts the message digest using her private key - this is the digital signature
  • Alice appends the signed message digest to the plaintext
  • Alice transmits the appended message to Bob
  • Bob decrypts the digital signature using Alice’s public key
  • Bob uses the same hashing function to create a message digest of the full plaintext received from Alice
  • Bob compares the decrypted message digest he got from Alice with the message digest he computed himself
    • If the hashes match, the signature is verified and the message was sent from Alice
    • If the hashes do not match, the signature is invalid and either the message didn’t come from Alice, or it was modified in transit
• Does not provide privacy/confidentiality
• Does provide integrity, authentication, nonrepudiation
• HMAC - Hashed Message Authentication Code
  • Provides integrity, does not provide nonrepudiation
  • Depends on a shared secret key

Which Key To Use When

Digital Signature Standard

• Federal Information processing Standard (FIPS) 186-4

Public Key Infrastructure

• Certificates
  • Endorsed copies of a public key
  • International standard: X.509
  • Contains
    • Version of X.509 it conforms to
    • Serial number
    • Signature algo identifier
    • Issuer name
    • Validity period
    • Subject’s name
    • Subject’s public key
  • Certificate extensions are custom variables inserted into a certificate
• Certificate Authorities
  • Neutral organizations that offer notarization services for digital certificates
  • Registration authorities assist by verifying user’s identities prior to issuing certificates but do not issue certs themselves
  • Certificate Path Validation - CPV. Each certificate in the certificate path from the original start or root of trust down to the server or client in question is valid and legitimate.
• Certificate Generation and Destruction
  • Enrollment
    • Prove your identity to the CA
    • Provide them your public key
    • CA signs your certificate with their private key
  • Verification
    • Verify the cert by checking the CA’s digital signature using the CA’s public key
    • Make sure it was not revoked (Certificate Revocation List - CRL)
      • Or Online Certificate Status Protocol (OCSP)
    • A certificate is valid if:
      • The digital signature of the CA is authentic
      • You trust the CA
      • The certificate is not listed on a CRL
      • The certificate contains the data you are trusting
  • Revocation
    • Revoking a certificate declares it invalid before it’s natural expiry
    • Certificate Revocation Lists (CRLs) contain serial numbers of certs that a CA revoked along with when they were revoked
    • Online Certificate Status Protocol (OCSP) eliminates latency with CRLs by providing a real-time check

Asymmetric Key Management

• Choose an encryption system whose algo is in the public domain
• Use a key length that balances security requirements with performance
• Keep private key secret
• Retire keys when they’re done being useful
• Back up your key
• Hardware security modules - HSMs. Store and manage encryption keys in a secure manner
  • Yubikey is an example

Applied Cryptography

• Portable devices
  • Windows includes BitLocker and Encrypting File System (EFS)
  • Mac has FileVault
  • Linux has VeraCrypt
  • All for disk encryption of mobile devices like laptops
• Trusted Platform Module - TPM. A chip on the motherboard that stores and manages keys used for full disk encryption.
• Email
  • For confidentiality, encrypt the message
  • For integrity, hash the message
  • For authentication, integrity, and/or nonrepudiation, digitally sign the message
  • For confidentiality, integrity, authentication, and nonrepudiation, encrypt and sign the message
  • Always the responsibility of the sender
  • Pretty Good Privacy - PGP
    • “web of trust”
    • Secure email system
  • Secure/Multipurpose Internet Mail Extensions - S/MIME
    • Uses X.509 certificates for exchanging crypto keys
• Web Applications
  • SSL and TLS (Secure Sockets Layer, and Transport Layer Security)
  • HTTPS (Hypertext Transfer Protocol Secure) uses port 443 to negotiate encrypted communications between web servers and clients
  • Depends on the exchange of server digital certificates
    • When a user accesses a website, the browser gets the web server’s cert and extracts the public key from it
    • The browser creates a random symmetric key, uses the server’s public key to encrypt it, and sends the encrypted symmetric key to the server
    • The server decrypts the symmetric key using it’s private key, and the two systems exchange future messages using symmetric encryption/key
  • Padding Oracle On Downgraded Legacy Encryption (POODLE) is a downgrade attack - forcing a system to use an older/vulnerable version of TLS or SSL instead of an up to date version
• Steganography and Watermarking
  • Steganography - Using crypto techniques to embed secret messages within another message
  • Ex: Adding digital watermarks to documents to protect intellectual property
• Digital Rights Management - DRM
  • Using encryption to enforce copyright restrictions on digital media
  • High-Bandwidth Digital Content Protection - HDCP. Provides protection over digital connections like HDMI
  • Advanced Access Content System - AACS. Protects Blu-Ray
  • Video games increasingly depend on having an internet connection
  • Document DRM may want to control permissions like who can read, modify, remove watermarks, download/save, print, take a screenshot

Networking

• IPSec and Internet Security Association and Key Management Protocol (ISAKMP)
• Circuit Encryption
  • Link encryption - Protects entire communication circuits by creating a secure tunnel
  • End-to-end encryption - Protects communications between two parties
  • The difference between the above is that link encryption, all data including headers, trailers, address, routing data is also encrypted
  • When encryption happens at higher OSI layers, it’s usually end-to-end
  • Secure Shell - SSH. End-to-end encryption
• IPSec
  • Could be any two entities - servers, routers, gateway, a combo
  • Uses public key crypto to provide encryption, access control, nonrepudiation, message authentication
  • VPNs use IPSec
  • Authentication Header - AH. provides message integrity and nonrepudiation
  • Encapsulating Security Payload - ESP. Provides confidentiality and integrity of packet contents
  • Transport mode - only the packet payload is encrypted
  • Tunnel mode - entire packet, including header, is encrypted
  • Set up a session with a security association (SA)
    • Represents the communication session and records configuration and status
    • Need two SAs, one for each direction
    • If using both AH and ESP bi-directional, you need four SAs
• ISAKMP
  • Used by IPSec for negotiating, establishing, modifying, deleting SAs
• Wireless networking
  • Wired Equivalent Privacy - WEP. 64 bit and 128 bit encryption for IEEE 802.11
    • A lot of flaws exist here, not considered secure - should never be used
  • WiFi Protected Access - WPA. Improves WEP by adding Temporal Key Integrity Protocol (TKIP)
    • WPA2 adds AES crypto
    • Does not provide end-to-end encryption
  • 802.11x - authentication and key management framework for both wired and wireless networks
    • Client runs software called a supplicant

Cryptographic Attacks

• Analytic Attack - Using math to reduce complexity of algo
• Implementation Attack - Exploits weaknesses in the implementation of a crypto system
• Statistical Attack - Using math to find patterns, floating-point errors, inability to find truly random numbers
• Brute Force - Trying every possible combination for key and password
  • Key length is critical for defending brute force
  • Rainbow tables - precomputed values for crypto hashes, commonly for cracking passwords
• Salt - A random value added to the end of the password before it is hashed
• Frequency analysis - Counting the number of times each letter appears in the ciphertext
• Known Plaintext - Attacker has a copy of the encrypted message, along with plaintext, can be used to determine the key
• Chosen Ciphertext - Attacker has ability to decrypt portions of the ciphertext
• Chosen Plaintext - Attacker has ability to encrypt plaintext messages of their choosing
• Meet in the Middle - Known plaintext message
• Man in the Middle - A malicious individual sits between two communicating parties and intercepts communications
• Birthday - AKA collision attack, finding flaws in hashing functions where two inputs generate the same output
• Replay - A system lacks temporal protections, a message can be sent more than once at different times

Chapter 6 covers data security controls, understanding data states, and then it gets into cryptography. This chapter goes into assessing and mitigating vulnerabilities of systems related to cryptography, cryptographic lifecycle and methods, nonrepudiation, and data integrity.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 5: Protecting Security of Assets

Chapter 6: Cryptography and Symmetric Key Algorithms

My key takeaways and crucial points

Historical Milestones in Crypto

• Caesar cipher - Shift each letter of the alphabet 4 places to the right. A becomes D, B becomes E, etc..
  • Cracked via frequency analysis - Most common English letters are E, T, A, O, N, R, I, S, H. Attackers find the common substitutions and experiment until they can discern the message.

Crypto Basics

• Goals of Crypto
  • Confidentiality
    • Preservation of secrecy of stored information
    • Symmetric crypto systems use a secret key shared by all users
    • Asymmetric crypto systems use individual combos of public and private keys for each user
    • Data in transit aka data on the wire - exam terms, same thing
  • Integrity
    • Message digests - aka digital signatures, created when message is transmitted, used to ensure data wasn’t altered
  • Authentication
    • Challenge-response authentication
    • Prove that one can encrypt/decrypt something to validate identity
  • Nonrepudiation
    • Only offered by asymmetric systems
    • Assurance that the message originated by the sender, not someone pretending to be the sender
• Cryptography Concepts
  • Plaintext - Before a message is coded
  • Ciphertext - After a message is encrypted
  • Keys - Used in encryption calculations.
  • Key space - The range of values that are valid for use as a key in a specific algorithm, aka bit size
  • Kerckhoff’s Principle - A Cryptographic system should be secure even if everything about the system, except the key, is public knowledge
  • Cryptovariable - Sometimes used to refer to keys
  • Cryptography - Implementing secret codes and ciphers
  • Cryptanalysis - The study of methods to defeat codes and ciphers
  • Cryptology - Cryptography and cryptanalysis together

Cryptographic Mathematics

• Boolean Math - Logical Operations
  • AND - Represented by the ^ symbol, checks whether two input values are both true
  • OR - Represented by the v symbol, checks whether at least one input value is true
  • NOT - Represented by the ! symbol, reverses the value of an input variable
  • XOR - Represented by the ⊕ symbol, returns true when only one of the input values is true
• Modulo function - showing a remainder value each time you performed a division operation, very important to crypto operations
• Nonce - A random number that acts as a placeholder variable in mathematical functions
• Zero-Knowledge Proof - Prove your knowledge of a fact to a third party without revealing the fact itself to the third party
• Split knowledge - Knowledge is divided among multiple users
  • M of N control - Requires a minimum (M) number of the total agents (N) work together to perform a high-security action
• Work function - Measures the strength of a crypto system
  • Time and effort required to complete a brute-force attack
  • Work function only needs to be slightly greater than the time value of the asset

Codes vs. Ciphers

• Codes - Crypto systems of symbols that represent words or phrases, sometimes secret, not always meant to provide confidentiality
  • Ex: “The eagle has landed”
• Ciphers - Always meant to hide the true meaning of a message
  • Ex: The transformation of plaintext to ciphertext

Transposition Ciphers

• Transposition cipher - Use an encryption algorithm to rearrange the letters of a plaintext message to form ciphertext
• Can used a keyword to perform a columnar transposition

Substitution Ciphers

• Substitution cipher - Use an encryption algorithm to replace each character or bit of the plaintext with a different character
• Vigenère cipher - Uses a chart of the alphabet shifted once per line, then a key is used to decrypt

One-Time Pads

• One-time pads - Use a different substitution alphabet for each letter of the plaintext message
• AKA Vernam ciphers
• One-time pad must be randomly generated
• Most be physically protected against disclosure
• OTP must be used only once
• Key must be at least as long as the plaintext
• When used properly, OTP is unbreakable - no repeating patterns

Running Key Ciphers

• Running key cipher - aka a book cipher
• Key is as long as the message itself, often chosen from a common book

Block Ciphers

• Block ciphers - Operate on chunks or blocks of a message

Stream Ciphers

• Stream ciphers - Operate on one character or bit of a message (or data stream) at a time

Confusion and Diffusion

• Confusion - Occurs when the relationship between plaintext and the key is too complicated for an attacker to altering the plaintext and analyzing the ciphertext to determine the key
• Diffusion - Occurs when a change in the plaintext results in multiple changes throughout the ciphertext
• Substitution introduces confusing
• Transposition introduces diffusion

Modern Crypto

• Crypto keys
  • Kerckhoff’s Principle - Opening algorithms to public scrutiny actually improves their security
  • Modern cryptosystems rely on secrecy of one or more cryptographic keys
• Symmetric Key Algorithms
  • AKA secret key and private key crypto
  • Rely on a shared secret
  • Weaknesses
    • Need to distribute the key - See Diffie-Hellman
    • Does not implement nonrepudiation
    • Algo doesn’t scale well - secure private comms between individuals can only be achieved if every possible combo of users has their own shared key
      • (n * (n - 1)) / 2 = number of keys needed
    • Keys need to be regenerated every time group membership changes
  • Very fast
• Asymmetric Key Algorithms
  • AKA public key algos
  • Each user has two keys
    • Public key - Shared with all users
    • Private key - Kept secret, known only to the user
  • Supports digital signing
  • Transience - new users requires only one new public-private key pair, users can be easily removed
  • Only need to regenerate keys when a user’s private key is compromised
  • Can provide integrity, authentication, nonrepudiation
  • Simple key distribution
  • No pre-existing communication link needs to exist
  • Big disadvantage is slow speed of operation
  • Lots of applications use a asymmetric crypto to establish a connection, and exchange a symmetric secret, then the rest of the session is encrypted with symmetric crypto

Symmetric Cryptography

• Data Encryption Standard
  • No longer considered secure
  • Superseded by Advanced Encryption Standard (AES)
  • Uses a long series of XOR operations, repeated 16 times (aka 16 rounds of encryption)
  • 56 bit key size
  • Electronic Code Book Mode - ECB
    • Weakest mode
    • 64 bit blocks processed
    • The same block of input produces the same encrypted block
    • Only for exchanging small amounts of data
  • Cipher Block Chaining Mode - CBC
    • Each block of plaintext is XORed with the preceding block of ciphertext before it’s encrypted with DES
    • CBC has an initialization vector and XORs it with the first block of the message - IV must be sent to recipient
    • Errors propagate
  • Cipher Feedback Mode - CFB
    • Streaming cipher version of CBC
    • Operates against data produced in real time
    • Uses a memory buffer instead of block size
    • Uses an IV and chaining
  • Output Feedback Mode - OFB
    • Almost the same as CFB, except instead of XORing an encrypted version of the previous ciphertext, it’s XORed with a seed value
    • Still uses an IV to create the seed value
    • Future seeds are derived by running DES on previous seed
    • No chaining function, so transmission errors don’t propagate
  • Counter Mode - CTR
    • Stream cipher similar to CFB and OFB
    • Uses a simple counter that increments for each operation
    • Errors do not propagate
    • Well suited for use in parallel computing
• Triple DES
  • Effective key = 64 bit
  • 64 bit block size
  • Four versions
    • Encrypt plaintext 3 times using 3 different keys
      • Effective key size of 112 bits
    • Uses three keys, but replaces the second encryption with a decryption operation
    • Only uses two keys
    • Uses two keys, and uses a decryption operation in the middle
• International Data Encryption Algorithm
  • Key is broken up in a series of operations into 52 16-bit subkeys
  • Same 5 modes as DES
  • Used in PGP - Pretty Good Privacy
• Blowfish
  • 64-bit blocks of text
  • Keys between 32 bits and 448 bits
  • Much faster than DES and IDEA
  • Released for public use with no license
• Skipjack
  • US Government
  • 64-bit blocks of text
  • 80-bit keys
  • Clipper and Capstone encryption chips - just know these are related to Skipjack
  • Supports escrow of encryption keys
  • Not widely embraced because of mistrust of escrow processes within US government
• RV5 - Rivest Cipher 5
  • Block sizes - 32, 64, 128 bits
  • Key sizes - between 0 and 2040 bits
• Advanced Encryption Standard - AES
  • 128-bit keys require 10 rounds of encryption
  • 192-bit keys require 12 rounds of encryption
  • 256-bit keys require 14 rounds of encryption
• Twofish
  • Prewhitening - XORing the plaintext with a separate subkey before the first round of encryption
  • Postwhitening - Uses a similar operation after the 16th round of encryption

There is a table (6.2) that I won’t reproduce here that you should familiarize yourself with before your exam

Symmetric Key Management

• Creation and distribution
  • Offline - physical distribution
  • Use public key encryption to setup an initial communications link, exchange a secret key over the secure public key link
  • Diffie-Hellman
• Storage and destruction of keys
  • Never store keys on the same system as encrypted data
  • Sensitive keys can be split up and then split knowledge can be used
• Key escrow and recovery
  • Fair cryptosystems - Secret keys used in communication are divided into two or more pieces, each of which is given to an independent third party
  • Escrowed encryption standard - Provides the government with a technological means to decrypt ciphertext - used in Skipjack

Cryptographic Lifecycle

• Moore’s Law - except One-Time Pad, all crypto systems have a limited life span
  • A cited trend in the advancement of computing power that states the processing abilities of a microprocessor will double approximately every two years
  • Not a law, just a previous trend
  • Means what is hard to crack today might not be hard to crack tomorrow - especially with quantum computing

Chapter 5 is concerned with asset security. It discusses identifying and classifying information and assets, as well as determining how to maintain assets and identify asset owners. Chapter 5 also talks about protecting privacy, ensuring proper asset retention, determining data security controls, and establishing information and asset handling requirements.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning
• Chapter 4: Laws, Regulations, and Compliance

Chapter 5: Protecting Security of Assets

My key takeaways and crucial points

Defining Sensitive Data

• Sensitive data is any data that isn’t public or unclassified.
• Personally identifying information - PII. Can be used to identify an individual.
  • See NIST 800-122
  • Can distinguish or trace an individual’s identity - ex: name, social security number, date and place of birth
  • Linked or linkable to an individual - ex: medical, financial, employment info
• Protected health information - PHI. Any health-related info that can be related to a specific person
  • HIPAA
  • Created or received by a healthcare provider
  • Relates to past, present or future physical or mental health or condition of an individual
  • HIPAA defines PHI more broadly
• Proprietary Data
  • Helps an organization maintain a competitive edge

Defining Data Classification

• Data classification - Identifying the value of the data to the organization.
  • Critical to protect data confidentiality and integrity
  • Classification labels
  • Identifies how data owners can determine proper classification
• Government uses top secret, secret, confidential, and unclassified
  • Top secret = “exceptionally grave damage”
  • Secret = “serious damage”
  • Confidential = “damage”
• Classifications also apply to physical/hardware assets
• Non-government
  • Use more meaningful labels - ex: confidential, proprietary, private, sensitive, public
  • More discretion
• Both systems identify relative value of data
  • Top secret is highest for governments
  • Confidential is highest for organizations

Data Classifications

• Confidential or proprietary - highest level of classified data
• Private - Should stay private within organization
• Sensitive - Similar to confidential, breach would cause damage to the mission of the organization
• Public - Unclassified data
• For the exam, remember sensitive information refers to anything that isn’t public/unclassified

Defining Asset Classifications

• If a computer is processing top secret data, the computer is a top secret asset
  • Same with media
• Asset classification should match the data classifications

Determining Data Security Controls

• Identity and Access Management - IAM. See Chapter 13 and 14, but has to do with ensuring only authorized personnel can access resources.

Understanding Data States

• Data at rest - Stored on media.
• Data in transit - Data that is being transmitted over a network.
• Data in use - Data in memory or temporary storage while an application is using it.
• Protect confidentiality with strong encryption in all states

Marking Sensitive Data and Assets

• Most important information that a mark or label provides is the classification of data
• When users know the value of the data, they’re more likely to protect it properly based on the classification
• Headers, footers, watermarks - DLP (data loss prevention) systems can identify documents that include sensitive information, apply appropriate controls
• Use labels for unclassified media to prevent errors of omission where sensitive data isn’t marked
• If media or systems need to be downgraded to a less sensitive classification, it needs to be sanitized

Handling Sensitive Information and Assets

• Backup tapes should be protected with the same level of protection as the data that is backed up

Storing Sensitive Data

• Must store sensitive data such that it is protected against any type of loss
• Most obvious protection is encryption
• Do not neglect physical security practices
  • Theft, device failure
• The value of any sensitive data is much greater than the value of the media holding the sensitive data
  • It’s more cost effective to purchase high quality backup media than to lose sensitive data

Destroying Sensitive Data

• NIST 800-88r1
• Sanitization - clearing, purging, and destroying to ensure data cannot be recovered by any means
  • When a computer is disposed of, sanitization means all nonvolatile memory is removed/destroyed

Eliminating Data Remanence

• Data remanence - Data that remains on media after the data was supposedly erased.
• Degausser - Generates heavy magnetic field to destroy data.
  • Cannot degauss SSDs (solid state drives)
  • Best method of sanitizing SSDs is destruction
• Erasing - Performing a delete operation against a file.
  • Only removes the directory or catalog link to data.
  • The data remains on the drive.
• Clearing - AKA overwriting.
  • Prepares media for re-use.
  • Unclassified data is written over all addressable locations on the media.
  • Maybe writing a single character or bit pattern over all media.
  • It is still possible to retrieve some of the original data using lab or forensics.
• Purging - More intense form of clearing.
  • Prepares media for reuse in less secure environments.
  • The only method for reuse in less secure environments.
  • Repeats the clearing process multiple times and may combine with other methods like degaussing to completely remove data.
• Destruction - Most secure method of sanitization.
  • Data cannot be extracted from destroyed media.
• Declassification - Any process that purges media or a system to prepare it for use in an unclassified environment.
  • Sanitization methods are often more effort than the cost for new media.

Ensuring Appropriate Asset Retention

• Record retention and media retention is the most important part of asset retention.
• Record retention - Maintaining important information as long as it is needed, destroying when it isn’t.
• Companies cannot legal delete potential evidence after a lawsuit is filed.

Protecting Data with Symmetric Encryption

• Symmetric encryption uses the same key to encrypt and decrypt data
• Advanced encryption standard - AES.
  • Supports key sizes of 128 bits, 192 bits, and 256 bits.
• Triple DES - First implementation uses 56 bit keys.
  • New implementation uses 112 bit, 168 bit keys.
  • Longer keys is more secure.
• Blowfish - Key sizes between 32 bits and 445 bits.
  • Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks.

Protecting Data with Transport Encryption

• HTTP (Hypertext Transfer Protocol) operates in cleartext
• HTTPS (Hypertext Transfer Protocol Secure) adds encryption
  • Transport Layer Security (TLS) is current standard
  • Secure Sockets Layer (SSL) was precursor
• Virtual Private Networks (VPNs) create a logical tunnel between private networks
  • Allow employees in remote areas to access organizations internal network
  • Internet Protocol Security (IPSec) - VPN encryption
  • Layer 2 Tunneling Protocol (L2TP) - adds authentication header which provides authentication and integrity, and encapsulating security payload for confidentiality
  • IPSec and Secure Shell (SSH) is also commonly used

Data Owners

• Data owner - The person who has ultimate organizational responsibility for data
  • Establishes rules for appropriate use and protection
  • Input regarding security requirements and controls
  • Decides who has access to information and with what privileges
  • Assists in the identification and assessment of security controls
• NIST 800-18
  • Uses phrase “rules of behavior” which means Acceptable Use Policy

Asset Owners

• Also uses NIST 800-18
• Asset owner - Person who owns the asset or system that processes sensitive data
  • Develops a system security plan
  • Ensures system is deployed and operated according to security requirements
  • Delivers appropriate security training
  • Usually the same person as the data owner

Business/Mission Owners

• NIST 800-18 again
• Business/Mission owner - Program manager or information system owner
  • Might own processes that use systems managed by other entities

Data Processors

• Data processor - Any system used to process data
• GDPR defines as a “natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.
  • Data controller controls the processing of data
• EU-US Privacy Shield
• Swiss-US Privacy Shield
• Privacy Shields are deep, but include
  • Notice - Organization must inform individuals about the purpose of data it collects
  • Choice - Offer a chance to opt out of data collection
  • Accountability for onward transfer - Can only transfer data to other organizations that comply with notice and choice principles
  • Security - Take reasonable precautions to protect personal data
  • Data integrity and purpose limits - Should only collect data that is needed for purposes in the notice
  • Access - Individuals must have access to information an organization holds about them, and to correct, amend or delete it
  • Recourse, enforcement and liability - Must implement mechanisms to ensure compliance and handle complaints
  • These are also general GDPR principles

Pseudonymization

• Pseudonym - An alias.
• Pseudonymization - Replacing data with artificial identifiers.
• Tokenization - Replacing data with tokens.
• Both methods can be reversed.

Anonymization

• Anonymization - The process of removing all relevant data so that it is impossible to identify the original subject or person.

More Terms

• Data administrator - Responsible for granting appropriate access to personnel.
• Data custodian - Data owners delegate day-to-day tasks to a custodian.
• User - Any person who accesses data to accomplish work tasks.

Protecting Privacy

• HIPAA (USA)
• Personal Information Protection and Electronic Documents (Canada)
• GDPR (EU)
• Collection limitation principle - The collection of data should be limited to only what is needed.

Using Security Baselines

• Baselines provide a starting point and ensure minimum security standards
• NIST 800-53 - Security Control Baselines are discussed
• Scoping - Reviewing a list of baseline security controls and selecting the ones that apply to the interesting IT system (the one you’re trying to protect)
• Tailoring - Modifying the list of security controls within a baseline so they align with the mission of the organization
• PCI DSS (Payment Card Industry Data Security Standard)
  • For when business process major credit cards
• GDPR
  • Related to EU countries

Chapter 4 covers a variety of topics related to determining compliance requirements, contractual and legal standards, and privacy requirements. It also includes information to help you understand legal and regulatory issues that relate to information security in a global context like data breaches, licensing requirements, and privacy.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts
• Chapter 3: Business Continuity Planning

Chapter 4: Laws, Regulations, and Compliance

My key takeaways and crucial points

Categories of Laws

• Criminal law - Police and other law enforcement agencies are concerned with
  • Penalties include community service, fines, deprivation of civil liberties (prison time)
• Civil law - Contract disputes, employment matters, things that need impartial arbitration
  • Law enforcement doesn’t normally become involved
  • Criminal prosecution, the government brings action against a person accused of a crime
• Administrative Law - Government charges agencies with purpose/function
  • Agencies abide by and enforce criminal and civil laws enacted by legislative branch
  • Published in the Code of Federal Regulations (CFR)

Laws

• General Data Protection Regulation (GDPR) - European Union
• Computer Fraud and Abuse Act (CFAA)
  • Based off of Comprehensive Crime Control Act of 1984 (CCCA)
  • Makes it a crime to (without authorization):
    • Access classified info or financial info in a federal system
    • Access a computer exclusively used by the federal government
    • Use a federal computer to perpetrate fraud
    • Cause malicious damage to a federal computer system in excess of $1000
    • Modify medical records on a computer when it may impair medical care
    • Traffic in computer passwords if it affects interstate commerce or involves a federal computer system
  • Federal computers was later extended to cover all “federal interest”
    • Computers used by US government
    • Computers used by financial institutions
• CFAA Amendments
  • Also covers interstate commerce in addition to federal interest
• Federal sentencing guidelines
  • Released in 1991
  • Prudent man rule - Senior executives must take personal responsibility for ensuring due care such that ordinary, prudent individuals would exercise in the same situation
  • Burdens of proof for negligence
    • Must have neglected a legally recognized obligation
    • Failure to comply with recognized standards
    • A relationship between the act of negligence and subsequent damages
• National Information Infrastructure Protection Act of 1996
  • Broadens CFAA to systems used in international commerce
  • Extends to include national infrastructure
  • Treats intentional and reckless acts that cause damage as a felony
• Federal Information Security Act - FISMA
  • Pertains to federal agencies
  • Includes activities of contractors
  • National Institute of Standards and Technology (NIST)
    • Responsible for developing FISMA implementation guidelines
    • Periodic assessments of risk
    • Policies and procedures
    • Plans for providing information security for networks, facilities, systems
    • Security awareness training
    • Testing and evaluation
    • Planning, implementing, evaluating, and documenting remedial actions
    • Detecting, reporting, and responding to security incidents
    • Ensure continuity of operations
• Federal Cybersecurity Laws of 2014
  • Centralizes federal cyber security responsibility to Homeland Security
  • Two exceptions
    • Defense related cyber security stays with Sec of Defense
    • Intelligence related issues stay with Director of National Intelligence
  • NIST charged with responsibility for coordinating nationwide work on voluntary standards
  • NIST SP 800-53 - Required for use in federal computing systems
  • NIST SP 800-171 - Often a contractual obligation for federal contractors

Intellectual Property (IP)

• Intangible assets are collectively referred to as intellectual property
• Copyright and the Digital Millennium Copyright Act
  • Copyright law - Guarantees the creators of original works of authorship are protected from unauthorized duplication of their work
  • Works covered:
    • Literary
    • Musical
    • Dramatic
    • Pantomimes and choreographic
    • Pictorial, graphical, and sculptural
    • Motion pictures and other audiovisual
    • Sound recordings
    • Architectural
  • Computer software is covered under the scope of literary work - the actual source code
  • Registering a copyright is not needed for copyright enforcement
    • Creators of work have an automatic copyright
  • Work for hire - when an employer pays for work in the normal course of a work day, the employer owns the copyright
  • Copyrights last until 70 years after the death of the last surviving author
  • Anonymous works are protected for 95 years from first publication or 120 years from date of creation - whichever is shorter
  • DMCA prohibits attempts to circumvent copyright protection
    • Also limits service provider liability
    • Not accountable for “transitory activities”
      • Transmission must be initiated by someone who is not a provider
    • Exempts activities of service providers related to system caching, but providers must take prompt action to remove copyright materials upon notification of infringement
    • One may make backup copies
• Trademarks
  • Words, slogans, logos, etc. used to identify a company and its products
  • Meant to avoid confusion in the marketplace
  • Automatically protected and can use the ™ symbol for public activities
  • For official recognition, apply to US Patent and Trademark Office
    • Registration certificate allows you to use the ® symbol
  • Must not be confusingly similar to another trademark
  • Should not be descriptive of the goods and services you’ll offer
    • “Thomas’ Software Company” is not a good trademark and may be rejected because it describes services
  • Trademarks are granted for 10 years and can be renewed for unlimited 10 year periods
• Patents
  • Protect IP rights of inventors for 20 years
  • Inventions must…
    • Be new
    • Be useful
    • Not be obvious - ex: using a drinking cup to collect rainwater is obvious, but a specially designed cup that limits evaporation might not be
  • Patent trolls register patents, manipulate the system and rules to sue or otherwise make monetary gain from patents, often without creating the invention actually patented
• Trade Secrets
  • IP that is critical to a business
  • Significant damage would result if disclosed competitors or public
  • Filing copyright or patent requires you publicly disclose the details, no longer secret
    • Are also time-limited
  • Trade secrets are things you want to keep to yourself
  • Enforced by nondisclosure agreements (NDA)
  • Patent law does not provide adequate protection for software products, so it’s often treated as a trade secret
• Licensing
  • Contractual license - written contract
  • Shrink-wrap license - a clause stating you acknowledge agreement simply by “breaking the seal on the shrink wrap”
  • Click-through license - increasingly common, required to click a button, adds active consent
  • Cloud services license - click-through agreements to the extreme

Import/Export

• International Traffic in Arms Regulations (ITAR) - controls export of items designated as military and defense items
• Export Administration Regulations (EAR) - covers items designed for commercial use by t may have military applications
• Computer Export Controls
  • US firms can export computers almost anywhere without permission, with exceptions
  • Exceptions from Department of Commerce’s Bureau of Industry and Security
  • Exceptions based on nuclear threat
  • Exceptions that need permission are currently Cuba, Iran, North Korea, Sudan, and Syria

Privacy

• US Privacy Law
  • No constitutional guarantee of privacy - many federal laws exist
  • Fourth Amendment - prohibits government agents from searching private property without a warrant and probably cause
    • Also includes protection against wiretapping and other privacy invasions
  • Privacy Act of 1974
    • Severely limits federal government ability to disclose private information to other people or agencies without written consent of affected individuals
    • Only applies to government agencies
  • Electronic Communication Privacy Act of 1986
    • Make sit a crime to invade the electronic privacy of an individual
• Communications Assistance for Law Enforcement Act (CALEA) of 1994
  • Requires communications carriers to make wiretaps possible
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Governs health insurance and health maintenance organizations
  • Hospitals, physicians, insurance companies
  • Defines the rights of individuals
• Health Insurance Technology for Economic and Clinical Health Act of 2009 (HITECH)
  • Change in the ways laws treats business associates
  • New data breach notification requirements
  • Must notify Health and Human Services and the media when a breach impacts more than 500 individuals
• Children’s Online Privacy Protection Act of 1998 (COPPA)
  • Websites must have a privacy notes
  • Parents need an opportunity to review any information collected from their children
  • Parents must give verifiable consent to collection of information of children under the age of 13 before it’s collected
• Gramm-Leach-Bliley Act of 1999 (GLBA)
  • Banks, insurance companies, credit providers
  • Information the above can share with each other
• USA PATRIOT Act of 2001
  • The way government can obtain wiretapping authorization
  • ISPs may provide government with a large range of information
• Family Educational Rights and Privacy Act (FERPA)
  • Educational institutions that accept any form of funding from federal government
• Privacy in the workplace
  • There is a reasonable expectation of privacy when you mail a letter, etc.
  • Employees do not have a reasonable expectation of privacy while using employer-owned communications equipment in the workplace
  • Consider:
    • Clauses in employment contracts
    • Acceptable use and privacy policies
    • Logon banners
    • Warning labels
• European Union General Data Protection Regulation (GDPR)
  • May 28, 2018
  • Widened scope of regulation
  • Applies to all organizations that collect data from EU residents or process it on behalf of someone else
  • Applies to organizations that are not based in the EU
  • Key provisions
    • Breach notifications must occur within 24 hours
    • Individuals will have access to their own data
    • Right to be forgotten - able to delete data

Compliance

• Payment Card Industry Data Security Standard (PCI DSS)

This chapter discusses how to identify, analyze, and prioritize business continuity requirements, including developing the scope and the plan. It also talks about business impact analysis, and how to participate in BC planning and exercises.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies
• Chapter 2: Personnel Security and Risk Management Concepts

Chapter 3: Business Continuity Planning

My key takeaways and crucial points

Planning for Business Continuity (BC)

• Business Continuity Planning - BCP. The goal is to implement policies, procedures and processes so that a disruptive event has as little impact on the business as possible.
• BC activities are focused at a high level and center on business processes (strategic)
• DR (disaster recovery) focuses on technical activities (tactical)
• Overall BCP goal is providing a quick, calm, efficient response to emergencies, enhance ability to recover from a disruption

Business Organization Analysis

• Operational departments - responsible for core services
• Critical support services - other groups responsible for systems upkeep
• Corporate security teams - first responders
• Senior executives - ongoing viability of the organization
• Be sure to account for headquarters and also branch offices

BCP Team Selection

• Representatives from each org’s departments
• Team members from the functional areas
• IT subject matter experts
• Cybersecurity
• Facility management
• Attorneys
• Human resources
• Public relations
• Senior management
  • Without an active senior management presence, your BCP plan will suffer or fail

Resource Requirements

• Four elements
  • Project scope and planning
  • Business impact assessment
  • Continuity planning
  • Approval and implementation
• BCP is often expensive, requires a large amount of resources
  • Being out of operation is more expensive - identify the costs incurred by the business for each day that the business is down

Legal and Regulatory Requirements

• Public firms have a fiduciary responsibility to have these plans, also financial intuitions, pharma manufacturers
• Service level agreements likely obligate a BCP

Business Impact Assessment (BIA)

• Identifies resources that are critical to an organization’s ongoing viability and threats posed to those resources
• Quantitative decision making - Use of numbers
• Qualitative decision making - Non-numerical factors

Identify Priorities

• Gather input from all parts of the org
  • Everybody has different priorities
  • What IT/security/management thinks is mission critical may not be what the sales/finance people think is critical
• Quantitative metrics
  • Asset value - AV. Monetary value of each asset
  • Maximum tolerable downtime - MTD. Max length of time a business function can be inoperable before it harms the business.
  • Maximum tolerable outage - MTO. Same metric as MTD.

Risk Identification

• Natural risks vs man-made risks
• The below are all considered natural threats but might trip you up
  • Prolonged power outages
  • Building collapses
  • Transportation failures
  • Internet disruptions
  • Service provider outages

Likelihood Assessment

• Annualized rate of occurrence - ARO. A percentage that represents how many times in one year an event is likely to occur.
  • 0.5 = once every two years
  • 12 = once every month

Impact Assessment

• Exposure factor - EF. Amount of damage a risk poses to the asset. Percentage of the asset’s value.
  • If a fire reduces the value of a business by 70%, the EF is 70.
• Single loss expectancy - SLE. Monetary loss that is expected each time the risk materializes.
  • SLE = AV x EF
• Annualized loss expectancy - ALE. Monetary loss that the business expects to result of a risk harming the asset over the course of a year.
  • ALE = SLE x ARO
  • Allows you to budget annually for countermeasures for threats that may occur on a non-annual basis.

Resource Prioritization

• Create a list of all risks
• Sort by descending order according to ALE

Continuity Planning - Strategy Development

• Depends on the prioritized list of concerns according to ALE
  • Determines what risks are most important to the business
• Refer to MTD estimates

People

• PEOPLE ARE ALWAYS FIRST
  • Ensuring that the people in your organization before, during, and after an emergency is always the first priority
  • People are your most valuable asset
  • Any time human safety is a possible answer to a question, you must remember that human safety is always the most important

Buildings and Facilities

• Hardening provisions - Protects existing facilities against risks defined in strategy development phase
• Alternate sites - If you can’t harden a facility, BCP should identify an alterative site where business activities can resume asap

Infrastructure

• Physical hardening systems - Protective measures
• Alternative systems - Redundancy

Plan Approval and Implementation

• Senior management approval and buy-in is essential to the success of the overall BCP effort

Plan Implementation

• BCP team should supervise the conduct of an appropriate BCP maintenance program and ensure that the plan remains responsive to evolving risk

Training and Education

• Personnel who are involved in the plan need training
  • On the overall plan
  • On their specific responsibilities
• Everyone in the org
  • Plan overview
• People with direct BCP responsibilities
  • Trained and evaluated on their tasks
  • At least one backup person needs training for each task

BCP Documentation

• Written continuity document
• Historical record of the BCP process for future personnel to understand the current process
• Documents reviewed by people outside the BCP team for a “sanity check”

Continuity Planning Goals

• The plan should describe the goals of the continuity planning
• Ensure continuous operation of the business in the face of an emergency
• Meeting SLAs and KPIs
• Continuity plan elements
  • Statement of Importance
    • Reflects how critical the BCP is
  • Statement of Priorities
    • Identify priorities phase of business impact assessment
    • List functions that are critical to continued business operations in a prioritized order
  • Statement of Organizational Responsibility
    • Basically echoes the sentiment that “business continuity is everybody’s responsibility”
  • Statement of Urgency and Timing
    • Outlines the implementation timetable
  • Risk Assessment
    • Recaps the decision making process from BIA
    • For quantitative analysis, the AV, EF, ARO, SLE, and ALE figures should be included
    • For qualitative analysis, the thought process behind the risk analysis should be included
  • Risk Acceptance/Mitigation
    • Risks that are deemed acceptable - list the reasons
    • Risks that are deemed unacceptable - list provisions and processes in place to reduce the risk
    • Resist the statement “we accept this risk” and force the documentation of risk acceptance decisions
      • Force accountability for risk planning/acceptance
      • Protect yourself from auditor scrutiny
  • Vital Records Program
    • States where critical records will be stored
    • How to make backups and store them
  • Emergency Response Guidelines
    • Organization and individual responsibilities for emergency response
    • Immediate response procedures for security, safety, fire suppression, notification of emergency response agencies
    • A list of individuals who should be notified of incident
    • Secondary response procedures for first responders to follow while waiting for BCP team to assemble
    • Should be easily accessible

Maintenance

• BCP should not be disbanded, should continue to meet periodically
• Practice good version control
• Include BCP responsibilities in job descriptions, include in performance review process

This chapter is about working with risk. Human weaknesses are discussed at the beginning and end of the chapter in the form of job descriptions, and then about training. This chapter also discusses how to think about risk, define risks correctly, and how to think about countermeasures and other responses to risk.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app
• I attended a study bootcamp
• I did a bunch of practice tests

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Previous Chapters

• Chapter 1: Security Governance Through Principles and Policies

Chapter 2: Personnel Security and Risk Management Concepts

My key takeaways and crucial points

Personnel Security Policies and Procedures

• Humans are the weakest element in any security solution.
• Making a job description involves setting a classification for the job, screening candidates, hiring and training.
• Job descriptions are important to a security solution.
  • What kind of security access is needed to perform job responsibilities?
• Separation of duties - Critical, significant, and sensitive work tasks are divided among several individuals, preventing one person from having any ability to undermine or subvert security mechanisms.
• Principle of least privilege - Giving people the least amount of access and privileges that still allows them to perform their duties.
  • Protects against collusion - when two or more people work together to undermine security for the purposes of fraud, theft, or espionage.
• Job responsibilities - Specific work tasks.
• Job rotation - Rotating employees among multiple job positions. Provides knowledge redundancy, and reduces risk of fraud, theft, misuse, etc.
  • If misuse occurs, someone else performing the job will detect it. Additionally, misuse becomes more likely as people become increasingly familiar with their work tasks and how their privileges may be abused.
• Cross-training - Workers are prepared to perform other job positions, but they are not rotated.
• Job descriptions are not just for the hiring process, but need to be maintained throughout the life of the organization.
• Onboarding - The process of adding new employees.
• Offboarding - The reverse of onboarding.
• Terminations should take place with at least one witness. People who are terminating should be escorted off the premises. Organization-specific identification and access must all be revoked and collected.
• Exit interview - A meeting that takes place with an offboarding employee.
  • Make sure all organization equipment and supplies are returned
  • Remove or disable user accounts
  • Human resources remuneration gets handled (pay unused vacation time, etc.)
  • Arrange for security department to accompany employee while they gather personal belongings
  • Inform security personnel the ensure ex-employee doesn’t attempt to reenter the building without an escort
  • Remind the employee of liabilities and restrictions based on employment agreement, nondisclosure agreement, etc.

Vendor, Consultant, and Contractor Agreements and Controls

• Vendor controls are used to define levels of performance and expectations for organizations and people external to the primary organization.
• Service level agreement - SLA. The document that often defines these expectations. For instance:
  • System uptime
  • Maximum consecutive downtime
  • Peek load
  • Responsibility for diagnostics
  • Failover time
• SLAs commonly contain financial and other remedies for violations. Should include a focus on protecting and improving security.

Privacy Policy Requirements

• Some definitions for privacy
  • Active prevention of unauthorized access to information
  • Freedom from unauthorized access
  • Freedom from being observed
• Personally identifying information - PII. Any data that can be easily and/or obviously traced back to the person of origin or concern.
  • Examples: Phone number, email address, social security number.
  • NOT PII: MAC address, operating system type, high school mascot.
  • Student ID numbers are not PII. They can exist at different institution.
• Privacy legislation:
  • HIPAA - Health Insurance Portability and Accountability Act
  • SOX - Sarbanes-Oxley Act of 2002
  • FERPA - Family Educational Rights and Privacy Act
  • Gramm-Leach-Bliley Act
  • GDPR - General Data Protection Regulation
  • PCI DSS - Payment Card Industry Data Security Standard

Security Governance

• Security governance - Supporting, defining, directing security efforts.
  • Third-party governance may be mandated by law, regulation, standards, etc.
• Documentation review - Performed before any on-site inspection takes place.
• ATO - Authorization to Operate - related to military and government contracts.

Understand and Apply Risk Management Concepts

• Risk - The possibility that something to happen to damage, destroy, or disclose data or other resources.
• Risk management - Process of identifying factors of risk and evaluating them in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
  • Supports the mission of the organization.
  • Reduce risk to an acceptable level.
• Asset - Anything that should be protected. Something important enough to protect.
• Asset valuation - A dollar value assigned to an asset.
• Threats - Any potential occurrence that may cause an unwanted outcome for a specific asset.
• Vulnerability - A weakness in an asset or the absence of a safeguard.
• Exposure - Being susceptible to asset loss due to a threat.
• Risk - The possibility that a threat will exploit a vulnerability and cause harm to an asset.
  • Risk = Threat * Vulnerability
• Safeguards - A security control, countermeasure, or anything else that removes or reduces a vulnerability or protects against one or more threats.
• Attack - The exploitation of a vulnerability by a threat agent.
• Breach - When a security mechanism is bypassed or thwarted.

Risk Assessment/Analysis

• Primarily an exercise for upper management.
• No way to eliminate 100% of risks. Only reduce them to an acceptable level.
• Quantitative risk analysis assigns real dollar figures to the loss of an asset.
  • Ex: You’d lose $15,000 if a car was stolen from your fleet.
  • Steps:
    1. Assign an asset value (AV) - inventory assets
    2. Calculate the exposure factor (EF - the percentage of loss experienced if a risk is realized) and single loss expectancy (SLE - the cost associated with a single realized risk against an asset)
    3. Probability that threat will occur within 1 year (ARO - annualized rate of occurrence. Once every two years is 0.5. Every month is 12.) - threat analysis
    4. Find the annualized loss expectancy (ALE - possibly yearly cost of all instances of a realized threat), calculate changes to ARO and ALE based on applied countermeasures. ALE = SLE * ARO. How much it would cost if this happened, times how likely that thing will happen within one year, equals your ALE.
    5. Perform a cost/benefit analysis for each countermeasure. ALE before safeguard minus the ALE after implementing the safeguard, minus the annual cost of the safeguard equals the value of that safeguard. If the value is negative, it’s not worth it.

Fun Fact! I did a session on how to get everything you’ve ever wanted from your stakeholders called “How to Take Risks Without Getting Clawed in the Face” that covers using a quantitative risk analysis approach to win every “I want something” conversation you’ll ever have.

• Qualitative risk analysis assigns subjective and intangible values to the loss of an asset.
  • Ex: You’d lose the trust of your customers if you customer contact information was exposed.
  • Scenario-based. Scenarios are a written description of a single major threat.
  • Delphi technique - Anonymous feedback-and-response processed used to enable a group to reach an anonymous consensus. Elicits honest and uninfluenced responses.
  • May also perform brainstorming, focus groups, surveys, etc.

Risk Responses

• Risk mitigation - Implementation of safeguards to eliminate or block threats.
• Risk assignment - Transferring risk so that the cost of a loss falls onto another entity or organization. Such as purchasing insurance or outsourcing.
• Risk acceptance - Cost/benefit analysis shows that countermeasure costs outweigh the possible cost of loss from a risk, so you may just decide that you’ll do nothing about the risk other than acknowledge it and periodically revisit your decision.
• Risk deterrence - Implementing deterrents like auditing, security cameras, warning banners.
• Risk avoidance - Selecting an alternate option that has less risk.
• Risk rejection - Unacceptable but possible, ignore the risk, deny it exists, hope it is never realized.
• Residual risk - Comprises threats to specific assets against which one chooses not to implement a safeguard. Risk that is accepted.
• Total risk - Risk faced if no safeguards were implemented.
  • Threats x Vulnerabilities x Asset value = Total risk

Countermeasure Selection and Implementation

• Cost of countermeasure should be…
  • less than cost of asset
  • less than benefit of countermeasure
• Result should make cost of an attack greater than derived benefits
• Countermeasure should provide a solution to a REAL problem. Not just sound cool.
• Benefit of countermeasure should not depend on its secrecy. That’s security through obscurity.
• Countermeasures should…
  • Be testable and verifiable
  • Provide consistent and uniform protection
  • Have few or no dependencies
  • Require minimal human intervention after deployment
  • Be tamperproof
  • Have overrides for privileged operators only
  • Provide fail-safe and/or fail-secure options

Types of Controls

• Technical - hardware or software
• Administrative - policies and procedures
• Physical - items you can physically touch
• Security controls:
  • Deterrent - Discourage violation of security policies
  • Preventative - Thwart or stop unwanted activity
  • Detective - Discover or detect unwanted activity
  • Compensating - Provide options to other existing controls
  • Corrective - Modifies the environment to return systems to normal after unwanted activity
  • Recovery - Extension of corrective, but more advanced.
  • Directive - Direct, confine, or control actions of subjects to enforce or encourage compliance.
• Security control assessment - SCA. Formal evaluation of security infrastructure’s individual mechanisms against a baseline or expectation. See NIST 800-53A.

Continuous Improvement

• Risk analysis is performed to provide management with details needed to decide how to respond to risk.
• Risk analysis/assessment is always “point in time” and must be periodically revisited.

Risk Frameworks

• See NIST 800-37 for Risk Management Framework (RMF) which has these steps:
  • Categorize information
  • Select initial set of baseline controls
  • Implement controls
  • Assess the controls
  • Authorize information system operation based on determination of the risk
  • Monitor controls in an ongoing basis

Establish and Maintain a Security Awareness, Education, and Training Program

• Awareness - prerequisite to security training. Make security a recognized entity for users.
• Training - teaching employees to perform their work tasks and to comply with security policy.
• Education - more detailed training where users learn much more than they actually need to know to perform their work tasks.

Manage the Security Function

• Measurable security means that there is a clear benefit provided, and one or metrics are recorded and analyzed.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

• I used the PocketPrep app - check your phone’s app store. I paid for it ($40 at the time) and did all of the questions. I found it was a great way to study in smaller durations of free time.
• I attended a study bootcamp - my employer had a bunch of us going through the process of studying for the CISSP exam at the same time, and hired a professional to put us through a week long bootcamp. I found it super helpful to get “insider” tips on how the exam is constructed, and to hear tales of the test from someone who has written and passed it many times.
• I did a bunch of practice tests - these came with my book.

And finally…

• I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

I took to Twitter (@MrThomasRayner) to find out if there was interest in a series about my takeaways and crucial points from each chapter in the ISC2 CISSP official study guide, and found that there was.

So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Chapter 1: Security Governance Through Principles and Policies

What this chapter is about

This chapter introduces security governance, management concepts, and principles which are inherent elements in security policy and in solution deployment. It covers a swath of foundational information that serves many of the other chapters in the book, like the CIA Triad and data classification.

Later, Chapter 1 discusses threat modeling, after it covers security control frameworks.

My key takeaways and crucial points

The CIA Triad

• The most important security principle is the CIA triad. It stands for “Confidentiality”, “Integrity”, and “Availability”.
• Confidentiality
  • The secrecy of data, objects or resources.
  • Encryption is a popular control for managing confidentiality.
  • An object is a “passive element” - files, computers, network connections, applications.
  • A subject is an “active element” - users, programs, computers (yes computers can be both active and passive depending on context).
• Confidentiality terms:
  • Sensitivity - The attribute of information that could cause harm or damage if it was disclosed.
  • Discretion - Where one can influence or control data.
  • Criticality - The level to which data is “mission critical”.
  • Concealment - The act of hiding data to prevent disclosure. Sometimes this means “security through obscurity”.
  • Privacy - The confidentially of data that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
  • Seclusion - Storing something in an out-of-the-way location.
  • Isolation - Keeping something separate from others.
• Integrity
  • The veracity/accuracy of data.
  • Assurance that data can be intentionally modified only by authorized subjects.
  • Cryptographic signing is a popular control for managing integrity.
  • Integrity means:
    • Preventing unauthorized subjects from making modifications.
    • Preventing authorized subjects from making unauthorized modifications, even mistakes.
    • Maintaining consistency of data so that they are true and correct.
  • Integrity depends on confidentiality.
• Integrity terms:
  • Accuracy - Being correct and precise.
  • Truthfulness - Being a true reflection of reality.
  • Authenticity - Being authentic or genuine.
  • Validity - Being factually or logically sound.
  • Nonrepudiation - Not being able to deny having performed an activity, being able to verify the origin of something.
  • Accountability - Being responsible for actions and results.
  • Responsibility - Being in charge or having control over something.
  • Completeness - Having all needed parts.
  • Comprehensiveness - Being complete in scope.
• Availability
  • The timely and uninterrupted access to objects.
  • Denial of service attacks are attacks on availability.
• Availability terms:
  • Usability - The state of being easy to use or learn or being able to be understood and controlled.
  • Accessibility - Assurance that the widest range of subjects can interact with a resource regardless of their capabilities.
  • Timeliness - Being prompt, on time, or within a reasonable timeframe.

Other Security Concepts

• AAA services provide “Authentication”, “Authorization”, and “Accounting” (aka “Auditing”).
• Identification - Claiming to be an identity.
• Authentication - Proving that you are that identity you claim.
• Authorization - Defining permissions of a resource and object access for a specific identity.
• Auditing - Recording a log of events and activities. Can be used to detect unauthorized activity or abuse.
• Accounting - Reviewing log files to check for compliance. Linking a human to the activities of an electronic identity.
• “Monitoring” is a type of watching or oversight, while “auditing” is a recording of information to a record or file.
• Layering - aka “Defense in Depth”. The use of multiple controls in a series.
  • Performing security restrictions in series means they are performed one after another in a linear way.
• Abstraction - Similar elements are put into groups or roles that are assigned security controls as a collective.
  • Classifying objects.
• Data hiding - Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
  • “Security through obscurity” is different. Data hiding is intentionally positioning data out of view, while security through obscurity is not informing a subject about an object being present.
• Encryption - Hiding the meaning or intent of a communication from unintended recipients.

Evaluate and Apply Security Governance Principles

• Security governance - Supporting, defining, and directing the security efforts of an organization.
  • NIST 800-53 or 800-100 standards apply here.
• Governance is responsible for security policies
• Business case - A documented argument or stated position. Helps to make a decision or take some action by demonstrating a business-specific need.
• Top-down approach - One of the most effective ways to tackle security management planning.
  • Upper management is responsible for initiating and defining policies.
  • Middle management is responsible for fleshing out policies into standards, baselines, guidelines and procedures.
  • Operational management then must implement the configurations as prescribed.
  • End users must comply with security policies.
  • Opposed by the bottom-up approach where IT staff make security decisions without input from senior management.
• Security management being the responsibility of upper management illustrates that it is an issue of business operations rather than IT administration.
• Any and all security management plans fail without senior management approval and commitment to the security policies.
• Types of plans:
  • Strategic plan - Executives are responsible. A long-term plan that is fairly stable. It should include a risk assessment.
  • Tactical plan - Managers are responsible. Midterm plan developed to provide more details on accomplishing the strategic plan’s goals. Includes and schedules the tasks necessary to accomplish organizational goals.
  • Operational plan - Employees are responsible. Short-term, highly detailed plan based on strategic and tactical plans. Define how to accomplish the various goals of the organization. Includes resource allotments, budgets, staff assignments, schedules, and step-by-step procedures.
• Security governance is a continuous process.
• Change control/management - Ensure that any change does not lead to reduced or compromised security, and the possibility to roll back any change to a previously secured state.
  • Change management is crucial for maintaining security by managing change systemically.

Data Classification

• Data classification - The primary means by which data is protected is based on its need for secrecy, sensitivity or confidentiality.
  • This is the process of organizing items, objects, subjects, etc. into groups and categories with similarities.
  • Securing all data at the same level is inefficient. Securing everything at a low level means sensitive data is exposed. Securing everything at a high level is too expensive and restricts access to some data unnecessarily.
• Declassification - Once an asset no longer warrants or needs the protection of its assigned level, it needs to be declassified.
• Government/military classification
  • Top secret - Highest level. Unauthorized disclosure will have drastic effects and cause grave damage. It’s compartmentalized on a need-to-know basis. A user could have top-secret clearance and have no access to data until they need to know about it.
  • Secret - Unauthorized disclosure has significant effects and cause critical damage.
  • Confidential - Unauthorized disclosure has noticeable effects and cause serious damage.
  • Sensitive but Unclassified - Used for data that is for office use only. Unauthorized disclosure could violate the privacy rights of individuals.
  • Unclassified - Data that is neither sensitive nor classified.
  • Top secret, secret, and confidential are “classified” categories. Sensitive but Unclassified, and Unclassified are “not classified” categories.
• Commercial business/private sector classification
  • Confidential - Highest level of classification. Proprietary data, disclosure has drastic effects on competitive edge of an organization.
  • Private - Private or personal nature, intended for internal use only.
  • Sensitive - More classified than public data. A negative impact would occur if disclosed.
  • Public - Lowest level of classification. Used for all data that does not fit a higher classification.
• Ownership - The formal assignment of responsibility to an individual or group. Owners often have full capabilities and privileges over the objects they own.

Organizational Roles and Responsibilities

There is a lot to know about each of these roles. Here are the key points about each one.

• Senior manager - Organization owner. Must sign off on all policy issues.
• Security professional - A trained and experienced engineer who is responsible for following the directives of management.
• Data owner - Responsible for classifying information so it may be placed and protected within the security solution.
• Data custodian - Implements the prescribed solution. Perform all activities needed to provide protection.
• User - A person who has access to a secured system. Responsible for understanding and upholding the security policy.
• Auditor - Reviews and verifies that the security policy is properly implemented and adequate.

Security Control Frameworks

• Security control frameworks are standards that help plan an overall security solution.
• COBIT - Control Objectives for Information and Related Technology.
  • 5 key principles:
    1. Meeting stakeholder needs
    2. Covering the enterprise end-to-end
    3. Applying a single, integrated framework
    4. Enabling a holistic approach
    5. Separating governance from management
  • Crafted by the Information Systems Audit and Control Association (ISACA).
• ISO/IEC 27002, ITIL are other standards to know about.

Due Care and Due Diligence

• Due care - Means “correction”. Using reasonable care to protect interests of an organization.
• Due diligence - Means “detection”. Practicing the activities that maintain the due care effort.
• Showing both due care and due diligence are the only ways to disprove negligence in an occurrence of loss.

Developing Documents

• Security Policies
  • Defines the scope of security needed.
  • Discusses the assets that need security and the extent that security solutions should go to provide the protection.
  • Defines all relevant terms.
• Acceptable Use Policy - Designed to assign security roles within the organization as well as ensure the responsibilities tied to those roles.
• Standard - Defines compulsory requirements.
• Baseline - Minimum level of security. Operationally focused.
• Guideline - Offers recommendations.
• Security Procedures
  • Step-by-step how-to documentation.
  • Not all users need to know all parts of every standard, baseline, guideline and procedure.
  • Avoid creating one giant monolithic document.

Threat Modeling

• The process where potential threats are identified, categorized and analyzed.
• Not a single event.
• Proactive approach takes place during development. AKA a defensive approach.
• Reactive approach takes place after a product has been created and deployed.
• Identifying threats - methods:
  • The focus in threat modeling is on objects
  • Focused on assets - Uses asset valuation results and tries to identify valuable assets.
  • Focused on attackers - Try to identify potential attackers and identify their goals.
  • Focused on software - Considering threats against in-house developed software.
• STRIDE is a scheme developed by Microsoft for threat categorization.
  • Spoofing - Using a falsified identity.
  • Tampering - Unauthorized changes.
  • Repudiation - Plausible deniability.
  • Information disclosure - Distribution of information to external or unauthorized entities.
  • Denial of service (DoS) - Prevents authorized use of a resource.
  • Elevation - A limited user account is used to gain greater access.
• Process for Attack Simulation and Threat Analysis (PASTA) is another methodology.
  1. Definition of the objectives (DO) for analysis of risks
  2. Definition of the technical scope (DTS)
  3. Application decomposition and analysis (ADA)
  4. Threat analysis (TA)
  5. Weakness and vulnerability analysis (WVA)
  6. Attack modeling and simulation (AMS)
  7. Risk analysis and management (RAM)
• TRIKE is another methodology that focuses on a risk-based approach.
• Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) is another methodology.
• Visual, Agile, and Simple Threat (VAST) based on Agile project management and programming principles.
• Reduction analysis - Decomposing the application, system or environment into smaller containers or compartments. The purpose is to gain a greater understanding of the product and its interactions with other elements.
  • Trust boundaries - Any location where the level of trust or security changes.
  • Data flow paths - The movement of data between locations.
  • Input points - Locations where external input is received.
  • Privileged operations - Any activity that needs greater than standard privileges.
  • Details about security stance and approach - The declaration of policy, foundation and assumptions.

Prioritization and Response

• Define the means, target, and consequences of a threat.
• Rank threats using a probability x damage potential calculation.
• Rankings can be subjective and arbitrary sometimes, but should at least be consistent.
• Use a “high/medium/low” scale for each element of the calculation for simplicity if you must.
• High-priority items need to be addressed immediately.
• DREAD provides a rating system designed to be flexible:
  • Damage potential - How severe is the damage likely to be?
  • Reproducibility - How complicated is it for attackers to reproduce the exploit?
  • Exploitability - How hard is it to perform the attack?
  • Affected users - How many users are going to be affected (as a percentage)?
  • Discoverability - How hard is it for an attacker to discover this weakness?

Apply Risk-Based Management Concepts to the Supply Chain

• Secure supply chain - Where all vendors and links are reliable, trustworthy, reputable organizations.
• All links disclose their practices and security requirements to their business partners, but not necessarily to the public.

Important Update

The below post was based off of conversations that occurred in the community, and what can only be considered at best to be incomplete information. It’s important to me that I’m part of a solution to the miscommunication problems that got us to this point.

James Petty, who is the CEO of the DevOps Collective just issued a post on this subject that clears up a lot of the misconceptions and miscommunications. It’s pretty short, so I’ll reproduce it here to make sure you definitely see it before looking at the rest of this post.

The decision was made to partner with Pluralsight to do our video recordings in 2020. Pluralsight has offered to save us $40K-$50K (per event) by having their team do the recordings of the session. There was never any condition on their part that the recordings be hosted exclusively behind their paywall, this decision was made by the DevOps Collective. In fact, other events that they work with have their session recordings available to the public for free. After better understanding everyone’s perspectives on the subject, we’ve indicated to Pluralsight that we would like to use a different model instead, and they’re very happy to oblige us. They’ve made it clear that they’re happy to work with an event on whatever terms that event needs for its community, and we appreciate their flexibility and willingness to support us.

Give us a few days to get everything worked out and will make an announcement soon on the 2020 session recordings.

I appreciate the tough spot that James and his crew were put into here. This unraveled really quickly, and there are no easy solutions to the problems the Summit organizers are working to solve.

The vast majority of the uproar in the PowerShell community over the last couple of days has been based off the incorrect understanding that “Pluralsight will own the recordings and will decide what happens to them - probably going to put them behind a pay wall”. As James’ post outlines, this isn’t the case. It also appears that nothing is nearly as written in stone as many folks in the community previously thought it was. The right move at this point seems to be to chill out and trust that the good people behind all of the organizations involved will do the right thing. I’m all for holding people and organizations accountable, but there’s obviously a lot more about this situation that needs to be settled and communicated with the public. For my part in perpetuating the misinformation surrounding this subject, I apologize. Hopefully readers understand my original post below was based off of the information I had at the time, and appreciate my effort to correct it here.

The entire original post is below, with only a couple of formatting changes. The content itself is unchanged, since I don’t think there’s any point erasing it. Besides, my whole blog is on GitHub Pages so it’s all on the internet forever and ever anyway.

Here I go with my second post of 2019. I’ve certainly wanted to be more prolific, but it’s hard to blog about the work I perform daily for reasons I won’t get into. I’m really hopeful that I’ll return to an “every other week” cadence, but… we’ll see. Anyway, there’s been some news that I’m feeling compelled to provide my thoughts on.

In case you missed it, the folks who put on the PowerShell + DevOps Global Summit have just announced some changes about the recordings for the 2020 event. Simply put, in previous years, the DevOps Collective (the folks who organize and put on the Summit) have paid to record the sessions presented at the event with funds from sponsors and ticket sales. Those recordings have been uploaded to their YouTube channel and are therefore obviously shared for free with the community forever. In 2020, however, Pluralsight has purchased the rights to the recordings of these sessions and appears intent on hosting them behind a pay wall. Only people who attended the Summit and people with a Pluralsight subscription will be able to watch the recordings.

Full disclosure: I have some kind of a relationship with both Pluralsight and the DevOps Collective. I have authored two courses on Azure Automation for Pluralsight which I was paid for and continue to receive royalties on. You should watch them if you want to learn about Azure Automation. I am really proud of them. Occasionally, I buy and sell tiny amounts of Pluralsight stock. I’ve also presented at the previous two PowerShell Summits, and am looking forward to presenting again in 2020. I’ve received a stipend from the Summit for the session I presented in 2018, but since joining Microsoft, such compensation has ceased.

These changes to how the recordings from Summit are being handled have sparked a lot of discussion, and now I shall try to assemble my thoughts in one post. One thing that should be made absolutely clear is that although people are very passionate about this matter, and the community reaction has been largely negative, neither I nor anybody I’ve spoken with about this hold any anger towards the people behind these decisions on either side. I am lucky to know many of them personally and have nothing but great things to say about them. That said, there’s a lot to unpack here.

The Good

The good news here is there’s more money involved and that enables a lot of good things.

Good for Pluralsight

The obvious win here for Pluralsight is that they get exclusive access to incredible content shared by some of the most brilliant minds in this field. The content shared by Summit speakers is regularly the best new technical video content shared every year. Events like Summit, PSConfEU, PSConfAsia, and a small handful of user groups, are the only places you can depend on seeing these kinds of in-depth, intensely technical sessions. Putting this content behind a pay wall is clearly a way to generate revenue for Pluralsight. If you sign up for a trial to watch Summit recordings, maybe you’ll stick around and watch some other courses, and convert to being a paying customer.

Good for DevOps Collective

Warren’s post linked above indicates that the DevOps Collective will save about $100,000 USD between their two 2020 events. That’s a ton of money for this non-profit. Warren does a great job of outlining the benefits for Summit in his post, so I won’t reiterate them here, but I completely trust that the DevOps Collective is doing their absolute best to use these funds to put on the best event possible.

Professional recordings of conference sessions is expensive. Unless you’ve tried to organize recordings for your own conference, it definitely costs more than however much you think it costs. I don’t know exactly why companies are able to charge so much money to record conference sessions, but they do. This isn’t even just a Bellevue thing. It’s expensive to record conferences everywhere in the world.

Good for Speakers

This is the group I identify with. The best part of this decision for speakers is that there are going to be more of us in 2020. The compensation for speaking at Summit is a free ticket to Summit. The more free speaker tickets the DevOps Collective gives away, the more other attendees and sponsors have to pay to help cover those costs. More speakers (hopefully) means a more diverse group on stage, and therefore a broader exposure of thoughts and ideas for everyone.

More speakers also means that each speaker may present fewer sessions. Personally, I love the idea of presenting as many times as the organizers will let me, but that’s obviously self-indulgent, and also probably not great for the aforementioned diversity of ideas and thoughts. Speaking at Summit is a Big Deal™, especially for folks who are less established in the community, and if speaker stress can be reduced by limiting the number of multi-session presenters, then that’s a good thing which obviously costs money.

Having recorded examples of technical sessions is a big deal for speakers. It’s big for one’s personal brand, their status in the community as a trusted source of information, and is a key element in a speaker’s work to get more sessions accepted at more events. The YouTube uploads of the Summit session recordings usually get a few hundred to a few thousand views. The DevOps Collective doesn’t have a ton of resources to spend marketing them, and so it falls on the speakers to spread their session recordings around. It stands to reason that a for-profit company with a more obvious financial interest in making sure these recordings get watched would put more effort and resources into marketing. Although the recordings would be behind a pay wall, it’s possible (but not proven) that more people would actually see them.

Good for Community

By “community” I mean people who may or may not be attending Summit. If you’re attending Summit, you’ll get access to the recordings. This is huge because Summit runs multiple sessions at the same time and it’s often impossible to choose between different sessions that run against each other. I’ve personally had the experience of building my schedule, having a hard time choosing a session for a specific time slot, and then realizing I should probably attend the session that I was going to be presenting. Having a substantial financial interest in making sure that session recordings are available for paying customers and Summit attendees is in the best interest of Pluralsight, which assures Summit attendees that some of the “do I go here or there” challenges aren’t such a big deal because the recordings will be available after.

If you’re not attending Summit, there’s no good here for you at all. Speaking of which, now for…

The Bad

No matter which way you look at this, putting the Summit session recordings behind a pay wall has some absolutely impossible to ignore drawbacks.

Bad for Pluralsight

I’ll be blunt, not out of anger, but out of clarity: Pluralsight looks greedy here.

But, why shouldn’t they be? Pluralsight is a publicly traded company with a fiduciary responsibility to its shareholders to make decisions that are profitable. A somewhat modest, transparent display of greed isn’t really something that I personally fault Pluralsight for. They saw a business opportunity and seized it, negotiating terms that were favorable for Pluralsight. That’s exactly what they’re supposed to do.

Pluralsight will own the rights to the recordings of Summit sessions, and has made it clear that Pluralsight subscribers and Summit attendees will be able to watch them. Right now, it appears that these are the only groups of people for whom Summit session recordings will be made available, although nobody has actually come out and said publicly that the general community at large won’t be able to watch them. Pluralsight has some content available to watch for free, and there’s an opportunity here for Pluralsight to add the Summit session recordings to that library. One compromise that I’m personally a fan of is for Pluralsight to host the Summit sessions for its members and Summit attendees only for a few months, and then make them public.

Bad for DevOps Collective

Being blunt again not out of anger, but out of clarity: The DevOps Collective looks like they sold out.

All of the wonderful things that the DevOps Collective plans to do with this money aside, they’re a community-oriented non-profit who just silently sold an enormously valuable community resource to a for-profit company. This is a bad look. As a non-profit whose existential purpose is to contribute, and help others to contribute to the PowerShell and DevOps community, this is objectively a huge step in another direction.

Everybody who’s dug into this issue totally understands that recording conference sessions is expensive and complicated. Everybody deeply appreciates the financial and human resources that the DevOps Collective puts into making these recordings available to the community. Everybody also wants the DevOps Collective to continue making that investment and make sure these sessions are donated to the community. This is a “stuck between a rock and a hard place” scenario for the DevOps Collective, but right now the general public opinion appears to be that they chose wrong.

Bad for Speakers

Many speakers feel blind-sided by this. It appears that details of this arrangement were still being finalized while the CFP was going on, and so the first speakers heard of the recordings being put behind a pay wall was when they found out their session proposal was accepted and they read the speaker agreement. Some speakers I’ve spoken to have already decided they are going to retract their proposal, and many more are considering the same. I’m not among those who are considering pulling out of Summit, but I can see where they’re coming from.

Speakers Are Paying To Create Content For A For-Profit Company

My biggest issue with this whole thing is that speakers are being taken advantage of. When you agree to speak at Summit, you agree to cover your own travel and expenses. You are compensated with a free ticket to Summit, and that’s it. Possibly there will be a modest stipend, but that’s not part of the agreement. This adds up to a scenario where a speaker (or their employer) is paying thousands of dollars in travel, lodging, meals, time away from the office, etc. in exchange for the opportunity to speak at Summit, engage with other attendees, and to enjoy all the other sessions.

In this new situation, however, now a speaker or their employer is paying thousands of dollars for all of that, but a significant product of that investment is now a source of revenue for a for-profit company instead of a donation made to the technical community. Speakers are effectively paying to create content for a for-profit company. I can’t express clearly or emphatically enough how much I dislike this.

Since I work at Microsoft, it costs me nothing to speak at Summit. I live in the area, my employer gives me the time to attend the event. I suppose the expense I take on is some of my free time goes towards making my sessions as good as I can. In the past I’ve taken vacation time, and paid all my own expenses in order to speak at Summit. I did that with the understanding that me speaking at Summit was good for me (exposure, personal brand), good for the conference (unique content), and good for the entire community (watch my content). Nobody profited off my expenditures.

Bad for Community

Obviously, the general public got to view these recordings for free and now they have to pay. Pretty cut and dry here. I feel like I’ve sold the quality of the technical content shared at Summit already, and won’t re-hash it here.

The Bottom Line

There is good and bad for everybody here. More money being involved means that the event itself benefits, and so do the people directly connected to the event, including the speakers and attendees. The people who are victims of this situation are the general community who’s not attending Summit, and the speakers. That’s right, speakers both win and lose here.

It’s a complicated scenario with a lot of different perspectives to consider. I don’t envy anybody involved in these decisions. While I think the DevOps Collective made a mistake, there is a chance for Pluralsight to “do the right thing” and make the recordings public on their site (perhaps after a period of time), and “donate” them to the technical community.

If you have thoughts on this new agreement that Pluralsight and the DevOps Collective have entered into regarding the 2020 recordings of the Summit sessions, especially if you like the idea of making the recordings public after a period of time of paid access, tweet at @PSHSummit, @PSHOrg, @Pluralsight, and use the hashtags #PSHDevOps and #PSHSummit. Tag me too, @MrThomasRayner. Please also join us in the Conferences channel on the unified/bridged PowerShell community Discord and Slack.

Whoa, it’s been a while since I got a post out. Between my slower posting schedule and the fact that I moved from WordPress to GitHub pages (and changed the domain), it’s a miracle I have any SEO points left at all! Anyway, that’s not really the point of this post. The point of this post is to talk about the cool event I attended recently in Columbus, Ohio. Spoiler alert: I was blown away.

If you like (or don’t like) the story time format blog posts, please let me know my tweeting me: @MrThomasRayner. A lot of what I work on during my day job is stuff I don’t feel comfortable blogging about, and since that used to be my main source of blog post ideas, the story format might help get me writing again.

About the event

Hack OHI/O is a program which is self-described as fostering a tech culture at Ohio State University and the communities nearby. They’ve been around since 2013 and run a bunch of events. One of the people in my management chain is an OSU grad and worked to coordinate some sponsorship money from Microsoft in support of this awesome program, and that’s how I ended up getting to attend High School I/O event to provide some mentorship to the students participating and judging the projects at the end of the day.

The High School I/O event I went to, as the name suggests, is for high school aged kids. A lot of the other mentors were actually OSU Comp Sci students who volunteered their time. There were also folks there from Cover My Meds, who hosted us, and a handful of other local organizations. I think I won the “traveled the furthest to be here” award, having flown from the Seattle area. So, let me tell you the story of my weekend.

Friday

I made my way to SeaTac on Friday morning to head out to Columbus. The only direct flight had a 9:45 AM departure, so no sleeping in for me! I actually ended up waking up at the same time I’d wake up any other day. I recorded all the demos for my Writing Compiled PowerShell Cmdlets session for the PowerShell & DevOps Global Summit on the 4 hour flight there. When I landed, I finally got to meet @StevieCoaster who generously picked me up from the airport. We inadvertently attended three different breweries and taphouses (one closed for an event, one super full, and one that got us in). We sampled their wares, had dinner, exchanged stickers and swag, and gossiped relentlessly about the PowerShell community. It was awesome to meet Stevie, and I can’t wait to see him and a bunch of other folks again at PshSummit in April.

Saturday

Saturday was the day of the hackathon, and it was a full day. With the time difference, it felt like a 3:30 AM wake up to start things off. That’s nothing a little caffeine and enthusiasm can’t fix, so I got my act together and headed over to the event. I was a little early and stashed myself away in a conference room while the organizers and hosts finished setting up. I’m not sure why I thought it might start on time 😄. I chatted with some of the hosts who were Cover My Meds employees, and some of the other organizers and mentors who were mostly OSU Comp Sci students.

Mentoring the mentors

A lot of the students have internships lined up this summer for companies in the Seattle area, and were both excited and nervous about being that far from their homes in Ohio. As someone who just moved from his hometown to the Seattle area last year, I had a lot of empathy for them, but luckily, I could attest to how much I love being in Washington, and gave them some encouragement about that aspect of their internships. A couple of the students commented that they were going to miss college, where they had a stable group of friends, in familiar surroundings. They were excited for the next steps in their journey, but some had a gut feeling that they might not stay in touch in the long term, which I think is totally normal. Having gone through college and worked for a few different employers, I can definitely confirm that the folks you see every day at school or work aren’t always the people you end up forming long term relationships with after one of you leaves for something new. There are some that do, though, and I think those are true life-long friends. In my opinion, you’re lucky to have more than a few of those.

So, how about the hackathon itself?

The high schoolers who came had a huge array of ideas. There were IoT, mobile, web, desktop, and lots of other projects going on. There were games, self-help websites, social networks, accessibility tools, and tons more. This event didn’t have a particular theme (like an upcoming Hack OHI/O event for college aged students that focuses on AI, and others), so the students were pretty much left to their own devices. I had prepared a few suggestions for projects for groups that didn’t know what to do, but nobody I talked to had any trouble thinking of something to work on. The diversity among attendees was just as great to see. Students came from all kinds of different socioeconomic and ethnic backgrounds, as well as different genders. The value of the unique perspectives that come from having a team of diverse individuals is something that I’ve known for a long time, and something that Microsoft (my employer) very strongly believes in. I didn’t know what to expect at this event, but was refreshed and excited to know that programs like Hack OHI/O are reaching such a wide group of people.

Hacking for good

The humanitarian focus of a majority of projects was something I didn’t expect. I figured I’d see a lot of games and mobile apps. While I did see a lot of games and mobile apps, they were largely gamifying different aspects of self-help. Here’s a brief (absolutely not complete) list of projects I talked to students about:

• An IoT boat-drone that carries healthy plants around ponds and lakes to help clean up pollution
• A mobile app that surveys biometric and environmental area, correlated with a survey about your emotional state to help you identify what kind of places you find least stressful
• A site dedicated to helping people with PTSD avoid their triggers via crowd sourcing
• A mobile app that encourages kids with braces to wear their elastic bands by having them take a selfie with their bands on, and if their bands are on, awarding them points that go towards gift cards
• An IoT deadbolt that opens if it can identify the person by their knock
• A mobile app that helps hackathon attendees find events and projects to work on, as well as people with complimentary skillsets
• A site that helps people get the right amount of sleep
• A site that helps people with hearing problems properly adjust their volume and EQ settings
• A tool to help avoid “too much screen time” related headaches

That’s just a small list of what I can remember off the top of my head. There were a bunch more groups who were all working on equally awesome projects. I was blown away to see high school aged people focused on using technology for good so early in their tech adventures. I’m an enormous believer in using tech to help people, and it was amazing to see the bright, creative minds of tomorrow focused on making that tomorrow better not just for themselves, but for each other.

These kids weren’t messing around

You might wonder how much a team of 2 - 4 high school students could deliver in 8 hours of hacking time, like I was. To be certain, nothing that came out of this hackathon is ready for VC funding, but that’s not really the point, eh? Between the group of girls who “learned Unity in a day”, to the group of kids who “discovered how easy it is to get started with Firebase”, and the group who “was surprised how inexpensive it could be to get 4 Raspberry Pis on Amazon”, it immediately became clear that these youngsters who’ve grown up immersed in technology have no fear about diving into something new and quickly learning it. That kind of curiosity and thirst for learning is obviously going to be a huge advantage as these people grow up and enter the work force. For real, watch out for Gen Z.

I saw groups building client/server apps in Java, writing Swift, all kinds of JavaScript - including Typescript, C#, C++, C, Python, Rust, and more that I’m just not remembering right now. Sure, there was some maturity missing from the dev process (poorly handled secrets everywhere, not a lot of CI/CD), but to expect enterprise dev level maturity from kids who haven’t finished high school yet is obviously ridiculous. That kind of thing comes later.

I asked some of the groups how similar their projects were to other things they’ve worked on outside of this hackathon and was floored at the different apps, sites, tools, and games I was immediately shown. Their passion is contagious, and it was a huge privilege to get to chat with them about life, technology, and Microsoft all day.

Eventually, we crowned some winners:

• Best Designed Hack: A group of ladies who “learned Unity in a day” to make a game with a humanitarian focus
• Best Unfinished Idea: A group of guys who made that IoT deadbolt that recognized knocks of different individuals
• Most Original Hack: A group who made a site that helps people self-diagnose minor illnesses and remedy them at home
• Greatest Social Impact: These guys made an app that models your stress/happiness level based off environmental data
• Most Technically Difficult: The group who made a mobile app that connected hackathon attendees with hackathons and ideas for projects

The winners and runners up got their prizes (some gift cards and cool tiny Microsoft Azure branded bluetooth speakers), and everyone said their goodbyes and made their way home. I headed back to my hotel to crash after a huge 14 hour day of fun.

Sunday

After a much needed sleeping in, I got myself together, checked out of my hotel, and found my way to the airport. There’s not much to report about Sunday, other than I’m currently writing, and am about to publish this post from the plane on my way home while the experience is fresh, and I can’t wait to be back in Redmond! It was fun visiting Columbus, but man is it always great to come home to the PNW 😁.

Closing thoughts

It was so cool to get to attend this event and connect with the students who were participating (and mentoring). It was refreshing and invigorating to witness their enthusiasm and passion, as well as their focus on contributing positively to their community. I’ll certainly be doing my best to bring that energy back to Redmond and my work at Microsoft.

Thank you to Hack OHI/O for having me, and to Microsoft for sponsoring the event and sending me. I hope my teammates who attend their next few events have an experience that is rewarding as mine was.

Starting with PowerShell 6, the whole language is open source. You’ve probably heard about that already. But if you don’t think of yourself as a “developer”, then it’s possible that the most you’ve ever taken advantage of that fact is creating a GitHub issue or commenting on a PR. Today, follow along with me, and we’ll change that.

If you’re at all comfortable writing PowerShell, you’ll be able to pick up C# with relative convenience. To be fair, dabbling with editing PowerShell is pretty far removed from a “Hello world” exercise, but maybe it’ll be fun enough to motivate you to learn more. The deeper you get into PowerShell, the more learning some C# might help you.

So, let’s get at it. First, clone the repository with git clone https://github.com/powershell/powershell.git or fork it and clone your fork. Check out the contribution guide for information on how to prep your environment and build your own pwsh.exe from the source.

Then, open the PowerShell.sln file in Visual Studio, or open up the project in VS Code. I tend to prefer “full blown” Visual Studio for writing C#, because it’s what I’m used to, but VS Code is perfectly fine, with a couple extensions added on (which are recommended as soon as you start looking at C# stuff).

So, now, what do you want to do? I like to start simple. When you first launch pwsh.exe there’s a banner message that is displayed, which at the time of this writing reads something like:

PowerShell 6.1.0
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.

Let’s make that more interesting. Probably, there’s a string somewhere that we can just edit and make it say whatever we want.

If you expand powershell-win-core, you’ll see Program.cs which is probably what gets run when you fire up pwsh.exe in Windows. At least, when I started poking around, that was my guess. It seems pretty simple. It returns an UnmanagedPSEntry.

Look at the definition of the UnmanagedPSEntry class (by right clicking on it and selecting “Go to definition”), and you can read the code for the Start() method that is called in Program.cs. Eventually, you’ll get to around line 70 in the file that defines UnmanagedPSEntry (at the time of this writing) where a variable named banner, and another one named formattedBanner are assigned a value. The banner value seems to come from another class called ManagedEntranceStrings so maybe let’s take a look at that. That name alone sort of sounds like the type of thing we want to mess with right now.

The ManagedEntranceStrings class which, as the comment in the file suggests, returns the cached ResourceManager instance used by the class. It looks like it’s located at "Microsoft.PowerShell.ConsoleHost.resources.ManagedEntranceStrings". So… let’s go peek in there. It’s a resx file.

Aha! Looks like maybe we found it. There’s a ShellBannerNonWindowsPowerShell item that looks like we can fudge around with. I’m just going to make it a little more casual.

Save everything, follow the above linked directions to build PowerShell, and launch the pwsh.exe that it created. You should see your new message. Mine looks like this.

Welcome to PowerShell 6.1.0. If you're stuck, type 'help', otherwise, check out the docs.

It’s the little things that add the most joy to life. In all honesty though, explore a bit and you’ll start to learn about how PowerShell really works, and next time you see something that doesn’t work like you think it should, you’ll have more power to do something about it.

If you’ve found your way to this blog, you probably already have a reasonable understanding of basic PowerShell concepts (or maybe that’s a foolish assumption). But, how about all your coworkers? And for you, you’re probably not done learning yet. There are plenty of ways to learn PowerShell - books, online courses, stealing code from blogs - but in my opinion, the best way to learn PowerShell is by writing PowerShell.

Normally, “learning by doing” when it comes to PowerShell involves just writing scripts and modules to satisfy the requirements of your job or side project. This is great, but you’ll end up not exploring certain areas of the language, and sometimes it’s nice to be able to know how to do your job before you need to start doing it… so let me introduce you to PSKoans.

PSKoans is a PowerShell module written Joel Sallow, with the purpose of helping people learn PowerShell. The readme.md on his GitHub page for PSKoans does a good job of explaining what’s going on, and how to use the tool, so I’m not just going to reproduce that. Instead, I’m just going to share my initial thoughts and experience.

Like me, Joel is active in the PowerShell Slack/Discord/IRC channel where people often come to get help with - you guessed it - PowerShell. After seeing stuff about PSKoans discussed for a while, and as I realized that I needed to come up with a good way to help my team at work improve their PowerShell chops, I figured I should give it a try and see if PSKoans would be suitable for use within my team.

Between a few interruptions, it took me a couple hours to work my way through the Foundations set of koans, which cover basics such as working with collections, looping, different operators, and conditionals. In my opinion, it’s a pretty darn complete set of foundations. The files you work through themselves are, for the most part, really clear about what you need to be doing, and what you should be learning. If there’s any spots that aren’t clear, clarity was soon restored by looking at the output of measure-karma which is an included function for tracking your progress There was one particular spot where I stumbled upon a koan that wasn’t quite right, so I opened an issue for it, and Joel fixed it the same day. Now that’s service.

I’m going to go ahead and use PSKoans with my team as a practical learning tool. Some people prefer books or online courses, and that’s awesome. There’s plenty of those already. What is awesome to see is people like Joel giving back to the community by making learning systems like PSKoans that take another approach and offer a hands-on learning that doesn’t have to take place in your production environments.

Full disclosure: I’ve only made my way through the foundations, since I don’t want to get too far ahead of my team (we might work through some in a workshop setting). Foundations make up more than half the points available at the time of this writing, so it’s possible that more sophisticated subjects could use some more coverage. Joel’s committed to adding more koans, though, so it’s worth watching this active project.

So let me say first, there are WAY more than 6 git commands you should know if you’re working with a project that uses git. However, when you’re first getting started, there are 6 git commands that you can’t get away without knowing. Here they are.

This “guide” assumes that you’re working with GitHub or Azure DevOps Repos or something and are creating your repos through the web-based GUI they offer, or the repos are already created. You’re on your own there.

This is not a replacement for learning git. This is just a cheat sheet for beginners.

First, you need to clone the repo. This takes a copy of what’s in source control and puts it on your local system.

git clone https://github.com/thomasrayner/git-demo.git

If you’ve already cloned the repository before, and just want to retrieve new changes, you can pull them.

git pull

Next, you should probably be doing your work in a separate branch in order to avoid stepping on the toes of your coworkers. You need to checkout a new branch (-b to create it). You can also use checkout to move between branches on your local system.

git checkout -b new-branch

# or if you wanted to move from a branch you created back to the master branch
git checkout master

Now, make your changes. The demo repository I’m using to validate these commands is empty, so I’m just going to add something to a readme file using PowerShell. This is not one of the commands you need to learn.

"Just a little somethin' somethin'" | Out-File ".\readme.md"

You can check your status now (and at any point). This will even tell you which git commands you probably want next.

git status

# returns something like this
On branch new-branch

No commits yet

Untracked files:
  (use "git add <file>..." to include in what will be committed)

        readme.md

nothing added to commit but untracked files present (use "git add" to track)

Next, to stage our changes, we’ll use add like status suggested. Flags and parameters in git are case sensitive, and I’m using the -A flag to stage All my unstaged changes.

git add -A

Once my change is staged, I need to commit it. -m is the parameter for a commit message, otherwise you’ll be prompted for one. These messages are critical for tracking changes to files and projects, so make them good.

git commit -m "Added readme.md"

Once the change is commited, it’s time to push it back to GitHub (or Azure DevOps, or whatever else you’re using).

git push

But wait, if you haven’t pushed since creating your branch, you’ll get an error! Mine looked like this.

fatal: The current branch new-branch has no upstream branch.
To push the current branch and set the remote as upstream, use

    git push --set-upstream origin new-branch

Git very helpfully shares the command that we need to use the first time we push a new branch. You don’t need to do this every time, but when you perform a git checkout -b <branch name> then the first time you push it back to your source control, you need to include the --set-upstream origin <branch name> bit. After your source control knows about the branch, you can just do the normal git push command.

Now, you can go to GitHub or Azure DevOps and make a pull request to get the changes from your branch pulled into master.

That’s it. At the very least, you need to know clone, pull, checkout, status, commit and push if you’re going to work with git. Again, this is no replacement for more thorough learning and practice. There are a couple great courses on Pluralsight (click the link for my courses at the top of the page and search for “git”) and other text-based resources available for you when you’re ready to learn more. Until then, try not to get into too much trouble!

This is really just an obligatory post to announce that I’ve moved my blogging habits from workingsysadmin.com to this URL, thomasrayner.ca. Why? Well I’ll tell you why.

Previously, my blog was a Wordpress install hosted in Azure. Before that, it was a Wordpress install hosted in some shared hosting I’ve had since before there was time. Now, it’s hosted on GitHub Pages (proof). I’m still working out my workflow, and there’s lots of bugs I’m still working out from the conversion, so if you see broken images or links, please file an issue on the GitHub repo.

So why move? There’s really three reasons.

1. I don’t really like Wordpress that much

Wordpress was great when I was getting into blogging because it had nice editing tools and a vast array of plugins. In a previous life I used to be a web developer, and I liked that there was a robust theme ecosystem that meant I didn’t have to do any web development whatsoever.

The issue, became, that the plugin market is full of janky, poorly secured stuff, Wordpress itself has an enormous attack surface, and honestly it’s overkill for my needs. I just wanted a blog. Jekyll on GitHub Pages has got a way smaller attack surface, and it’s more comfortable for me to work with given my current workflow for non-blogging related activities. I’ve committed to not over-doing it when it comes to my theme, so it will likely stay pretty standard. If you know of a good dark theme, let me know.

2. I wanted to put it somewhere other than Azure

I love Azure. Let’s not get that confused. So why did I want to get my blog off Azure? Well, I was paying for it with a credit that I get for having an MSDN subscription and I want to use those credits for something else. I love GitHub too, so I’m personally filing this as a win/win.

All in, it’s been a bit of a hassle, but so far it’s been worth it. I need to get my new workflow sorted out a bit better. Scheduling posts to be published on future dates was a big reason I stayed on Wordpress as long as I did, but I should be able to get that sorted out here. This particular post is not scheduled, and is just going live when I’m done writing and revewing it, and decide to push it.

3. It was time for a new URL

The “Working Sysadmin” branding was fine when I was a “sysadmin”. The theme of the blog was, and continues to be, posts about the things I’m figuring out and working on at work. The trouble is, my career and role has changed a bit and I really don’t qualify myself as a “sysadmin” any more. In fact, I think the distinction between “dev” and “ops” is harmful and that we’d be better off if we all thought of ourselves as technologists, anyway. The new URL, thomasrayner.ca, captures things a little better. I don’t currently plan on having any guest posters, and I’m Canadian. So, self-branding seems to make more sense. This way, the blog can freely be about whatever is on my plate, without worrying about the “brand” of the blog. Spoiler: It’s still going to be a LOT of PowerShell and automation related subjects.

So, now it’s time for me to keep fixing broken links, updating RSS feeds, and all that kind of stuff. I’ve kind of just decided to wave goodbye to all the SEO I had built up with the old domain, because that’s not really what I do this for. Plus, that can be rebuilt.

Thanks for reading!

It’s been a little while since I’ve managed to get a blog post out! Not to worry, though, as I’ve been nice and busy. One of the things I’ve been working on lately is writing a VSTS- I mean Azure DevOps extension.

The extension I’m working on will, among other things, need to update the build definition of the build that it’s currently building. Why? Because I’m incrementing a version number that’s stored in a build variable, which is part of the build definition. Here’s how I’m doing it.

First, you need to make sure that you grant the build permissions to access the OAuth key. This is under the additional options section of the agent job configuration. Then it’s time for some code.

$personalAccessToken = $env:system_accesstoken
$headers = @{"Authorization" = "Bearer $personalAccessToken"}
$headers.Add("Content-Type", "application/json")
        
$getBuildUri = "$($env:SYSTEM_TEAMFOUNDATIONSERVERURI)$($env:SYSTEM_TEAMPROJECT)/_apis/build/builds/$($env:BUILD_BUILDID)?api-version=4.1"
$getBuildResponse = Invoke-RestMethod -Uri $getBuildUri -Headers $headers

$getVarsUri = "$($env:SYSTEM_TEAMFOUNDATIONSERVERURI)$($env:SYSTEM_TEAMPROJECT)/_apis/build/definitions/$($getBuildResponse.Definition.Id)?api-version=4.1"
$getVarsResponse = Invoke-RestMethod -Uri $getVarsUri -Headers $headers

First, I’m retrieving the access token, and building the authorization and content-type elements of the headers that I’m going to use to interact with the Azure DevOps API. Then, I’m going to get the build definition for the build that’s currently running. After that, I’ll get the definition for that build.

Then, I need to edit the variable that I want to manipulate, and write it back to Azure DevOps.

$getVarsResponse.variables.$Variable.value = $newValue
    
$putData = $($getVarsResponse | ConvertTo-Json -Compress -Depth 10)
$null = Invoke-RestMethod -Uri $getVarsUri -Method PUT -Body $putData -Headers $headers

In this example, $Variable is the name of the build variable whose value I want to edit. Then I’ll convert the PowerShell object back to JSON, and put it back in Azure DevOps.

Once you do this, it takes a few seconds for what you did in via the API to be reflected in the web portal you access through the browser. Sometimes you have to wait a minute or two to make sure your change actually took place.

A big thanks to Chris “Halbarad” Gardner for helping me negotiate some challenges as I worked on this.

If you haven’t been to the PowerShell & DevOps Global Summit, let me tell you that the lightning demos are an ultra fun and informative part of the conference. It’s so cool to see what other people are doing with PowerShell that you’d never think of because it’s not what you’re used to working on. I love the fact that PowerShell is so many places, with so much flexibility, that it creates countless opportunities for interesting, meaningful projects.

PowerHour is like a virtual PowerShell user group that meets periodically to do lightning demos. What’s a lightning demo? It’s a 10 minute live demo where you show off something neat that you’re working on or are proud of. It’s super informal, and very free form.

I highly recommend checking them out, and participating if you’re comfortable with that. Check out the PSPowerHour GitHub for more information.

Are you going to be at Techmentor Redmond next week? I will be! You can catch me at my workshop on Monday and learn some Master Powershell tricks, or at my session on Tuesday to learn to write code that doesn’t suck. I’ll also be hanging around the rest of the conference, dinner events, and other people’s sessions.

I’d love to meet you! Say hi and I’ll give you a sticker (while supplies last).

Back in March, I had the opportunity to link up with Microsoft Cloud Advocate Damian Brady and record an episode of The DevOps Lab. We chatted a little bit about the MVP Summit and being an MVP (which I am no longer, since I’ve joined Microsoft as an employee), and then get down to business administering Azure Automation purely through the AzureRM PowerShell module.

Check out the recording, below!

https://www.youtube.com/watch?v=qbvss7VuezA

In the PowerShell Slack (invite yourself at bit.ly/psslack), there was a very brief debate over when the Expand-Archive cmdlet was introduced to PowerShell. This is absolutely information that can be found online, but there’s a few different ways.

Some cmdlets have this information built into the help, some share this information in the online docs. Since the core cmdlets documentation are open sourced and on GitHub, however, you can go straight to the source and quickly answer this question for yourself.

If you go to https://github.com/powershell/powershell-docs, you’ll find all the documentation for the core PowerShell cmdlets. In the Reference folder, you’ll see documentation for all the currently supported versions of PowerShell (back to 3.0). The docs for older cmdlets are in there too, but typically you’re going to be looking for if a cmdlet was introduced in version 4 or 5, in my experience.

Click on the Find File button in GitHub, and you’ll be presented with a search screen.

From there, type in the name of the cmdlet, and the search will start to populate. Let’s see when the Expand-Archive cmdlet was introduced.

You can see that this core cmdlet is in the docs for versions 5.0, 5.1 and 6. That means that we can assume this cmdlet was introduced in PowerShell version 5.

If you’re active on social media and follow things about PowerShell, you’ve probably already seen some information about the PowerShell Conference Book. It’s a community effort that was created to support the PowerShell.org OnRamp Scholarship Program.

I had the distinct honor of being asked to participate in this book, which has chapters from dozens of the brightest minds in the PowerShell community. My chapter is about creating custom PSScriptAnalyzer rules.

If you follow my work at all, you might realize that sounds familiar. Isn’t that the session that I did at PowerShell and DevOps Global Summit 2018? Well yes it is. The point of this book is to basically be a print-format conference. Obviously the networking and socializing part is a little bit lacking (it’s a book, give us a break) but the “attend different talks and learn about a crazy variety of awesome topics” part is more than well covered. Every chapter is written by a subject matter expert, independent of the other chapters - kind of like how talks at a conference are given.

If you’ve never been to the PowerShell and DevOps Global Summit or the European or Asian equivalent conferences, then you’ll get a bit of a glimpse of the world class content and knowledge that gets shared at these things. Either way, all of the proceeds from your purchase of this book goes directly towards funding the OnRamp Scholarship Program which is a full-ride to the next PowerShell and DevOps Global Summit for people who are underrepresented in IT, and people who are just getting started in their careers and could use a boost. It’s going to make a real difference in some people’s lives, and is incredibly worthwhile.

Basically what I’m trying to say is this: buy the book. You’re virtually guaranteed to learn something that will have this book paying for itself real fast. Plus, you’re supporting an awesome cause.

On July 1, I was notified that I was I was re-awarded as a Microsoft Most Valuable Professional (MVP)! Being an MVP is an enormous privilege, and has been a huge benefit to me professionally. If you’re not familiar with the MVP Program, it’s basically an award given to independent technologists who share technical knowledge with the community. That might mean blogging, public speaking, creating videos, being active on social media, answering questions on technical forums, or lots of other things.

In addition to a cool glass trophy, being an MVP comes with a bunch of other perks like an MSDN subscription, an O365 license, Azure credits, and other assorted swag and gifts. The biggest benefit by far, though, is access to NDA-protected mailing lists, and the networking opportunities to connect with other MVPs and full time Microsoft employees.

This is my fourth MVP award, and since April 2015, I’ve had the distinct pleasure of getting to know the most incredible people, mentor others, be mentored, influence the products Microsoft makes, and share thousands of hours of effort in the form of books, blog posts, public speaking, and other ways of giving back to the community that’s helped me so much. Through being an MVP, I’ve met great people who have helped me in my career tremendously. I’m grateful to all of them.

On that note, as of July 9, 2018, I won't be eligible for the MVP program any more and therefore will have to give up my status as an MVP.

One of the conditions for being a Microsoft MVP is that you aren’t a Microsoft employee. This spring, I accepted a position at Microsoft as a Senior Security Service Engineer, and will be starting on Monday, July 9! I’ll be joining an immensely talented team doing fascinating work, applying my skills in the area of scripting and automation, and helping guide their growing DevOps habits.

I couldn’t possibly be more excited.

As a small note, I’ll be relocating to the Seattle area this summer, and getting my feet under me in this new position, so the weekly streak of blog posts I’ve been able to uphold for over a year is likely to be interrupted. I’ll still be posting, but perhaps not quite as frequently. Just because I’m not going to be an MVP any more doesn’t mean I’m not still committed to sharing information and helping the technical community any way I can.

If you’re used to working in VS Code or the PowerShell ISE, you’ve undoubtedly enjoyed intellisense which is the feature that shows you all the tab completion options at once. That functionality is really handy, but what if you’re in the PowerShell console? The little overlayed windows don’t pop up there with your completion options. You can still tab through until you find what you want, but it’s not the same.

Don’t worry, there’s a PSReadline feature that will save you here.

Start typing something, like a cmdlet, and then instead of tab completing it, use Ctrl + Space to see the different options available to you. You can navigate through the different options using the arrow keys. Check out this gif of this feature in action.

Super handy. I love this feature for hunting through different parameters for a cmdlet.

Did you know that you can use Where-Object to split a collection into two arrays? Like, if you had an array containing the numbers 1 to 10, you could split it into one array of even numbers, and another array of odd numbers? It’s pretty cool. Thanks Herb Meyerowitz for this tip!

As you can tell from Herb’s comment in this screenshot, it’s actually the .where() method that is relatively new that we’re using to split collections this way. The syntax is kind of atypical, so let’s break it down.

$a, $b = (1..5).where({$_ % 2}, 'split')

• $a, $b = 
  • This part is creating two variables, named a and b that will be used to contain the output of our splitting activity.
• (1..5)
  • This just creates an array of the numbers 1 through 5.
• .where( )
  • This is a method that comes with PowerShell 5 (I'm pretty sure) which works mostly like the Where-Object cmdlet that you're used to. Most people just use it to filter collections on a filterscript (stay tuned) but it also takes other arguments.
• {$_ % 2}
  • This is the filterscript, or basically the criteria we're using to split up our collection. It will effectively create a true and a false list like the condition in an if statement. The percent sign is the modulus operator and will determine if the number is divisible by two without a remainder or not.
• 'split'
  • This is the mode. By default, the collection is filtered using the filterscript like when using Where-Object and only the objects matching the condition are returned. But that's not the only mode! We're going to use the split mode to break it into two collections. Maybe another blog post will come out on some of the other modes.

That’s it!

Maybe you have a login script or something else that’s written in PowerShell that you want to run without having any kind of window pop up - not even a blank one. There’s a few ways to do this, but my current favorite is to wrap it in C#. Thanks Mark Kraus for this tip!

Fire up Visual Studio, and create a new C# console application. Right click and change the properties of the project so that the output type is Window App… and then get this… don’t make a window.

From there, you’ll need to add a reference for PowerShellStandard.Library so you can do PowerShell-y business in your C# application. After that, you can make a method look like this.

static void Main(string[] args)
{
    var powershell = PowerShell.Create();
    powershell.AddScript(@"
Get-ChildItem -Path c:\temp | out-file c:\temp\shh.txt
");
    var handler = powershell.BeginInvoke();
    while (!handler.IsCompleted)
        Thread.Sleep(200);
    powershell.EndInvoke(handler);
    powershell.Dispose();
}

It’s not super complicated code. Line 3 creates a new PowerShell object so we can, you know, run PowerShell code. On Line 4 - 6, we’re adding the script that’s going to be executed. You could retrieve the code from a file, but I’ve just stuck a here-string in there. My script is pretty simple, it’s just getting all the items in my c:\temp folder and exporting that output to a file named shh.txt.

After that, I’ve got to actually run my code. That happens on Line 7, and then on Line 8 and 9, we make the thread wait until the code is done executing. Then finally on Line 10 and 11, I’m cleaning up after myself by ending the invocation and disposing of my PowerShell object.

You can build this, and then look in the folder for your app, in the bin\Debug folder, you’ll find an .exe file which you can run. Double click it and you shouldn’t see any window pop up, no console, no XAML window, no nothing, but your PowerShell script will run. If you made yours look like mine, go check for that file that it should have created.

Now when your login script runs, your users won’t be able to close it before it finishes!

With this post, I’ve got a new post up on this blog every Wednesday morning for a year. I’m pretty proud of that! There are certainly more prolific bloggers out there, especially in this space, but for me, this is quite the accomplishment. This is weekly consecutive blog post number 53.

In celebration of getting through a full year of weekly blog posts on topics of PowerShell, DevOps, automation and IT strategy, in this post I’ll share some of the lessons I’ve learned. This isn’t a big list of everything you need to know to blog, or even things that might work for you, but just things I’ve learned about blogging over the last year.

Not every blog post needs to be a textbook

A lot of people get caught up on what is “blog worthy” and dismiss post ideas because they aren’t long enough, or because the topic has been covered before. Long posts, multi-part series, and other enormous posts are totally awesome. They also tend to be pretty niche and time consuming. There’s nothing wrong with a shorter post - they help people too! There’s also nothing wrong with adding your own unique perspective on a topic that has already been covered by other bloggers, since your commentary can sometimes be just as valuable as the technical content.

Post ideas are everywhere

After a few months of weekly posts, I realized that my daily scope of work didn’t change enough for me to be constantly blogging about what I’m working on. Therefore, I had to look for some new sources of inspiration. I joined the PowerShell Slack channel, paid more attention to Twitter, and started remembering questions my coworkers had and used those as material for my blog. Not only do you get to help someone in the moment, but you get to help even more people through that blog post being up forever (or until you forget to renew your domain or web hosting).

Post ideas come in bursts

When I first committed to weekly blog posts, I had a ton of ideas written down on a OneNote page. I spent a couple weekend afternoons writing about 20 posts, and scheduled them to go public every Wednesday morning. That was awesome, and it meant that I didn’t have to think of any new posts for a few months. When I had about 5 posts left, inspiration struck again, and I wrote another big batch of posts. In fact, I’m writing this exact post about a month before it will go up because this is when I felt inspired to write it. Don’t worry, if I learn anything new in the next month about blogging, I’ll update the post.

Scheduling posts in advance, and having a hopper full of posts ready to go is mandatory if you’re going to commit to a weekly post schedule. Eventually you’ll want to take a week off, you won’t be able to think of a post, or you just won’t have time. In these situations, you’ll be glad that you have a bunch of posts queued up ready to go.

Not every post has to be "on brand"

Over the Christmas season, I was in Mexico, and felt the need to queue up a bunch of posts. The holidays are a time when most of the people who read my blog are away from work, so I felt like I had a little freedom regarding which topics I posted about. Since I didn’t have a lot of PowerShell or DevOps topics ready to go, I posted about what I had been doing in some of my free time, practicing some of my pentesting skills on HackTheBox.eu. They’re certainly not my most viewed posts, and I didn’t get a lot of interaction on them, but nobody complained either. Don’t be afraid to blog about whatever you’re passionate about in the moment. Just because you run a PowerShell/Exchange/AWS/Football/Checkers/PKI blog doesn’t mean you can’t branch out. Blog for yourself first and others second, and you’ll be much happier.

If you’ve written at least a couple of advanced PowerShell functions, you’re probably no stranger to parameter validation. These are the attributes you attach to parameters to make sure that they match a certain regular expression using [ValidatePattern()], or that when they are plugged into a certain script, that it evaluates to true using [ValidateScript({})]. You’ve probably also used [ValidateRange()] to make sure a number falls between a min and a max value that you specified.

In PowerShell 6, though, there’s something new and cool you can do with ValidateRange. You can specify in a convenient new syntax that the value must be positive or negative.

To do this, you start with a normal ValidateRange attribute, and instead of providing a range of numbers, you just use the word “Positive” or “Negative”, like this.

[ValidateRange('Positive')]$int = 10
[ValidateRange('Negative')]$int = -10

These will both work correctly because we’re assigning a value that works with the validation we’ve specified. Here’s two that will throw errors.

[ValidateRange('Positive')]$int = -10
[ValidateRange('Negative')]$int = 10

Here’s what it looks like in the console.

Neat, right?

Regular visitors of this blog are used to seeing PowerShell and DevOps content, and this is a little bit of a divergence since it’s written in C#, and it’s a .NET Core MVC Azure Web App, but if it found itself on my plate, maybe it will find itself on yours. I was tasked with writing an Azure Web App that users would visit, sign into using their Azure Active Directory (ie: “Work or School”) account, to test if their Conditional Access and MFA was configured properly. Once logged in, a little information about the user is displayed.

Here’s how to pop all the claim information for an authenticated user into a Razor Page.

I decided to put the whole thing into an HTML table in order to make it a bit more readable. It’s kind of a challenge to differentiate between the claim name and the value if they aren’t aligned nicely. From there, make sure you’re using System.Security.Claims, and you can write yourself this foreach loop.

<table>
    @foreach (var claim in ((ClaimsIdentity)User.Identity).Claims)
    {
        <tr>
            <td>@claim.Type</td>
            <td>@claim.Value</td>
        </tr>
    }
</table>

It’s not a big mind blower. This is a .cshtml document, so we can write HTML and mix in some inline C#. Using the ClaimsIdentity class, we can write a foreach loop for each claim in the identity of the currently logged in user. This assumes that the user isn’t logged in more than once (ie: Facebook and Twitter and Azure AD).

Then I’m making a new row in my table for each claim, and separate cells for the claim type, which is the name of the claim, and the claim value.

Nice and concise!

How’s this for a niche topic? If you want to move to Azure AD P2 Conditional Access and have users who are on P1 MFA, then in order to move them over, you have to disable and re-enable MFA on their account - or at least that’s what one PFE told me. The problem is, when you do that, you lose their options like if they prefer to enter a code from the app, receive a text, etc. by default. Wouldn’t it be nice if you could keep that stuff?

Well, you can!

Here’s a PowerShell function I wrote that performs this task. It assumes you’ve already done a Connect-MsolService and logged in successfully.

function Move-MfaSettings {
    <#
    .SYNOPSIS
        Converts a user from classic MFA to modern MFA and retains their settings.
    .DESCRIPTION
        Takes a MSOL user and manipulates their settings to engage modern MFA without overwriting their current preferences.
    .EXAMPLE
        PS> Move-MfaSettings -User $(Get-MsolUser -UserPrincipalName myguy@domain.tld) 
        If a user with the UPN myguy@domain.tld is found, the MFA settings will be updated.
    #>
    [cmdletbinding(SupportsShouldProcess)]
    param (
        [parameter(Mandatory, ValueFromPipeline)]
        #The MSOL user object whose MFA settings are being adjusted
        [Microsoft.Online.Administration.User]$User
    )
    if ($PSCmdlet.ShouldProcess("Converting user $($User.UserPrincipalName) from classic MFA to modern MFA")) {
        $strongAuthMethods = $User.StrongAuthenticationMethods | Select-Object MethodType, IsDefault
        $setStrongAuthMethods = @()
        foreach ($strongAuthMethod in $strongAuthMethods) {
            $add = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
            $add.IsDefault = $strongAuthMethod.IsDefault
            $add.MethodType = $strongAuthMethod.MethodType
            $setStrongAuthMethods += $add
        }
        $null = Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements @() -StrongAuthenticationMethods $setStrongAuthMethods
    }
}

It could probably stand for a better name, but I’ve called it Move-MfaSettings, and it takes one parameter: a MSOL user object. It supports the -WhatIf flag, by implementing SupportsShouldProcess.

On line 18, I’m storing the Strong Authentication Methods of the user object that was passed to the function. All I need out of here is the MethodType and IsDefault properties. This is the option/preference information that we would normally lose by performing this task. We’re going to lose it again, but since we’ve saved it here, we can rebuild and add it back later.

Lines 20 through 25 go through each of the preferences we collected on Line 18 and builds a new StrongAuthenticationMethod object out of them. Then we set the IsDefault and MethodType property for each one, and store the new object in an array.

Finally, on line 26, I’ve used Set-MsolUser to disable the Strong Authentication Requirements, and set the Strong Authentication Methods to the array of those objects we created.

Now you can disable MFA for users while still keeping their settings, which is pretty handy when you’re transitioning to P2 Conditional Access.

I had the pleasure of presenting a session at the PowerShell and DevOps Global Summit in Bellevue in April 2018 and the session recordings went live last week. My session was titled A Crash Course in Building Your Own PSScriptAnalyzer Rules and it’s a pretty fast 45 minutes. I’ve been getting lots of wonderful feedback on it, so if this is something you might be into, please give the recording a watch! It’s easier than you might think.

https://youtu.be/_T8wLsbTWJY

Click here if the embedded video doesn’t work: https://youtu.be/_T8wLsbTWJY

In full disclosure, this post contains information that a user experience expert might frown at. I’m not really sure, since I’m not a user experience expert. I do know a lot about PowerShell, however, and that’s really what this post is about.

Say you have users of your scripts and modules who might have their $ErrorActionPreference set to SilentlyContinue or maybe you know for a fact that your code explicitly sets it that way. That’s probably another thing that will make the user experience pros mad but here you are anyway. Let’s just say that your stakeholders FORCED you to do it. What happens if you absolutely need to, have to, must display a non-terminating error, such as those you create with Write-Error? Here’s one option.

You could store the current Error Action Preference in another variable, set the EAP to “stop” or “continue” and then write your error, and then set the EAP back, but there’s a simpler way!

Write-Error, like pretty much anything else, has an -ErrorAction parameter which determines what PowerShell will do if the cmdlet it’s attached to throws an error out. Since Write-Error will, by definition, throw an error every time you run it, the -ErrorAction becomes pretty important if you want to use it here.

Even if the Error Action Preference is set to SilentlyContinue, you can do this…

Write-Error "This is my error" -ErrorAction Continue

… and your error will be written to the screen anyway. Obviously you can use the -ErrorAction parameter on everything else that has one too, for the same effect. Error Action Preference is just there to determine how errors are handled if you don’t specify -ErrorAction.

If you’ve seen any of the recent talks from Microsoft employees and MVPs about PowerShell, it’s hard to miss that Visual Studio Code (VS Code/VSCode) is the new hot place to be writing your PowerShell code. VSCode with the PowerShell extension is the current Microsoft-recommended coding environment, whereas it used to be PowerShell ISE. ISE isn’t dead (there are lots of posts on that), it’s just considered to be complete, and all current development effort is focused on VSCode.

Great! Well, one of the things I like in my editor is my own custom snippets. I don’t have very many, but I use the ones I have pretty often. Here’s how to make one in VSCode.

In VSCode, go CTRL + Shift + P to open the command pallet, and search for “Configure User Snippets”. From there, you can do a new global snippets file, or choose the language that the snippets you’re going to write are going to be for. This helps you separate your JavaScript snippets from your PowerShell snippets, and so on. I opened my powershell.json snippets file.

By default, the file includes a description, syntax and even an example of how to make a new snippet. I won’t reproduce it here, but instead I’ll share one of my most-used snippets and describe the different parts and how they work. They’re declared in JSON.

"DateTime pre-pended Write-Verbose": {
    "prefix": "verb",
    "body": [
        "Write-Verbose \"[$(Get-Date -format G)] ${1:message}\"$0"
    ],
    "description": "Prepend datetime for Write-Verbose"
}

The name of my snippet is the first thing that’s indicated, “DateTime pre-pended Write-Verbose”, then the different properties that make up the snippet. The prefix I’ve given it is “verb”, which you’ll see the use for in a moment. Then, the body of the snippet. This one is just a “Write-Verbose” command, with part of the string to be written pre-populated. First, I’m writing the current time and date enclosed in square brackets, and then using the “${1:message}” notation, I’m placing the cursor at the location of that text, highlighting the word “message”. This makes it so when you insert the snippet, the word “message” is already highlighted and you can just start typing your message. Then I have a “$0” at the end so when you hit tab, it takes you to the end of the line, outside the quotation marks of the “Write-Verbose”. Finally, I gave the snippet a basic description.

To use the snippet, go CTRL + Shift + P to open the command pallet, find Insert Snippet, and type the prefix you gave your snippet - mine is “verb”. Then once you hit enter, the body of your snippet will be inserted, and in my case, the word “message” is highlighted, right after the datetime.

That’s all there is to it! If you want to see a bunch of awesome snippets written by the community, check out the Community Snippets page on the VSCode-PowerShell GitHub.

I’ve just got back from the PowerShell and DevOps Global Summit in Bellevue, WA where I had the great pleasure of attending tons of excellent sessions on a bunch of PowerShell and DevOps topics. The main tracks were all recorded (hopefully uploaded soon, will update with link) but the side sessions were not.

I didn’t attend many of the side sessions, but one that I did was Glenn Sarti, who is a dev at Puppet. His session was on Lean Coffee, which I think is my new favorite format for informal meetings.

Lean Coffee is held and characterized as follows:

• There is a timer, a person who is in charge of keeping things moving and enforcing the timing rules that follow.
• Start by spending 5 minutes to gather topics. This is anything that people want to talk about. Nothing is off limits.
• Everyone voted on which they want to talk about first. Everyone has two votes which can be cast for whichever topics the voter wants to do first.
• The timer tallies the votes and the group starts talking about whichever item was highest votes.
• Every two minutes timer interrupts the discussion and polls for if you want to keep talking about the current topic or not. This is just a quick thumbs up or down. Everyone votes.
• If the majority votes to continue on the current topic, the timer is reset for another two minutes, after which the timer will take another continue/move on poll.
• If enough people vote to move on to the next topic, the timer picks the next highest votes. The goal is to get through all of the topics.

You can modify the number of votes and timing as it makes sense for you, but this is what we went with. In this format, it’s easy to prevent two people from de-railing the conversation or monopolizing it since the topic is reviewed every two minutes.

This format sounds like it might be a bit high maintenance or disjointed with constant timer interruptions but when we practiced it in Glenn’s session, I found it efficient, and clear. I’ll definitely be trying it out at work.

Sometimes, while you’re poking around in the console, you want to re-run the last command. Sure, you can hit the up arrow and enter, but PowerShell always gives you multiple ways to do things.

It’s easy, using the Invoke-History cmdlet. You can also use its alias which is just r. Running that cmdlet without any parameters will run the last command from the console. Alternatively, you can specify a value for the ID parameter, and run one from further back in your history.

How do you find out what those IDs should be? Using Get-History to see everything you’ve run in this session, and the ID number for that command.

After the modest success of my last DevOps Story Time post on getting out of your own way, I feel like it’s time for another. This time, on the value of taking risks, and taking away a win even when you realize one of the risks you were afraid of.

Easter weekend 2018, for my 30th birthday, my girlfriend and I went to Banff, AB to do some hiking. When we got there, she surprised me with my “real” gift: that we were going to go visit a wolf sanctuary in Golden, BC, and go on a hike with some real, actual, not-fooling-around wolves. Obviously, I was beyond excited.

When you get there, before you go on your walking with wolves adventure, you sign some waivers which include some items about releasing rights to photos, but also include some very specific, lengthy sections to the tune of “These are wild wolves. Although they’ve been imprinted on humans (aren’t afraid of humans like a normal wolf, this is why they’re in the sanctuary), these aren’t like visiting your friend’s Labradoodle. These are wolves, and wolves can be dangerous and unpredictable.”

Now, you’re out there with (excellent, knowledgeable, informative) guides, and this part of the sanctuary is definitely a tourist attraction, so there’s a pretty good feeling of safety that sets in quickly. We understood, and of course, accepted the risks that we’d been made aware of, and embarked on our walk.

[caption id=”attachment_715” align=”aligncenter” width=”604”] I got licked in the face by a wolf. Her name is Flora.[/caption]

[caption id=”attachment_716” align=”alignleft” width=”225”] There’s a couple more good ones above my hair line. She got a little close to my eye.[/caption]

For the most part, you and your small group walk through an area the guides are familiar with as the wolves do wolf things and dart around. They weave through the group plenty, you can pet them if they come up to you, and play and pose while people take pictures. At a certain point, the guides will find a good spot to take pictures of the guests in close proximity with a wolf. You don’t have to do it if you’re scared, but by this point, we felt really comfortable and were definitely not going to pass up a once in a lifetime opportunity to take a picture with a real, live wolf.

This was absolutely one of the coolest moments I’ve ever experienced, and a completely unforgettable memory. However, remembering that wolves can be a little unpredictable sometimes, she got a bit excited climbing all over me, and I came away with a pretty good scratch.

This is why you sign a waiver. And the scratch wasn’t really so bad. I cleaned it out, and took care of it, and will heal up just fine. This pic was taken when we got back to our car immediately after the hike. Pardon the toque hair.

What does this have to do with IT?

Believe it or not, there’s a DevOps related lesson to be learned here, and I’m not just bragging about my cool birthday experience, and subsequent Bond-villain-esque facial wound (maybe just a little).

I normally consider myself a pretty risk adverse person. If you saw my stock portfolio, you’d probably agree. When it comes to your IT department, most traditional enterprises consider themselves “risk adverse”, too. The thing is, though, people too often throw around the term “risk adverse” as a reason not to take a risk. Being adverse to risk isn’t a blanket excuse to never take any risks ever for any reason. By definition, it just implies a certain amount of (hopefully healthy) skepticism to avoid undue risks.

Don’t let anyone immediately dismiss an idea, whether its disruptive or not, simply on the grounds of being risk adverse. Every risk has an impact and likelihood (how severe it is, and how likely it is to actually happen), and if someone wants to dismiss an idea based on risk, it should be based on the impact and likelihood being too high.

Urge your stakeholders to identify a risk tolerance. They’ll give you a non-zero number. Make it out of 25. “On a scale of 0 - 25, what would you say our appetite for risk is?” Say they come back with 10. That’s somewhat risk adverse, right? Well, using the risk impact/likelihood model, give both the possible impact and likelihood a score out of 5. Multiply the two numbers to get a score out of 25, and compare that to your stakeholder’s risk tolerance. If a certain change comes with a risk that carries an impact of 2 out of 5 (if the change fails, users will experience a partial outage for 4 hours - but the company’s reputation will remain intact, no business will be lost, it’s really just an inconvenience) and a likelihood of 2 out of 5 (pretty unlikely, but possible), the risk score is 4/25. This is well below the identified risk tolerance level of 10, and this is leverage for you to go ahead with your change.

The scores are obviously subjective. A partial four hour outage for users may be a catastrophe if you’re an internet service or cellular provider, instead of an inconvenience in our scenario. It’s up to you to add reasoning to your scores so that your risk evaluation is more meaningful and valuable. Include mitigation plans that describe how you plan to lower the likelihood of a risk being realized and the impact if it is. Be sure, at some point to underscore the benefit of taking the risk. Actions can still be beneficial even if a risk is realized.

I strongly urge you to use this model and line of reasoning to combat the “well we are pretty risk adverse so it’s going to be a no” blanket excuse. Rather than letting people’s comfort zone drive your IT strategy, force a more thoughtful, well-reasoned decision. You might still get a “no”, but at least it will be one that’s thought out, rather than impulsive.

Bringing it together

Like I mentioned, I am pretty risk adverse, but I also don’t want to live a life without any fun and interesting experiences. I used the information that was available to me to enumerate the different risks of going out on a hike with wolves, the impact (mild disfigurement) and likelihood of those risks being realized (pretty low), including the mitigating factors of the guides, and weighed that all against my appetite for risk and the benefits of accepting the risk and doing it anyway.

Even though one of the risks was realized (my face is a little less pretty until this scratch heals up), the reward and benefit of the decision was still absolutely enjoyed. I had an amazing, once in a lifetime experience that will always be special to me. You can do the same in your own career, and at work. The road to success isn’t always well-paved.

Sometimes Write-Host gets a bad reputation. Lots of people will repeat inflammatory rhetoric that “Write-Host” kills puppies, and so on, but the only real problem with Write-Host is that people use it without knowing what it’s for. Write-Host is for writing to the console and only the console.

Other cmdlets like Write-Output are for writing to standard output which might be the console, or could be somewhere else down the pipeline. Write-Host’s output can’t be redirected to a log file, isn’t useful in unattended execution scenarios, and can’t be piped into another command. Lots of people who are new to PowerShell get into a habit of using Write-Host when they probably should have used Write-Output or something else instead. If you have someone you’re trying to train to stop using Write-Host when it’s not needed, consider this prank, just in time for April Fools Day.

There’s not much to it. Just add a couple of lines to their PowerShell profile.

$PSDefaultParameterValues.Add('write-host:foregroundcolor',{get-random $([system.enum]::getvalues([system.consolecolor]))})
$PSDefaultParameterValues.Add('write-host:backgroundcolor',{get-random $([system.enum]::getvalues([system.consolecolor]))})

This adds default values for the -BackgroundColor  and -ForegroundColor  parameters when Write-Host is called. If a script specifies a value for those parameters, those specific values will be used instead. If, instead, Write-Host is called without specifying values for the foreground and background color parameters, a random one will be used instead. It’ll look something like this.

Did you know that PowerShell supports the usage of partial parameter names? This isn’t such a big deal since tab completion is a thing… and if you’re writing code, you want to use the full parameter name to provide clarity and readability… but sometimes this is handy. Whether it’s for code golf, or just noodling around in the console, you don’t have to specify the full name of a parameter, just enough for it to be unique.

Here are some examples.

Get-ChildItem -Pa c:\temp
# Pa is matching the Path parameter
# Note if you just do P, you'll be told that the parameter can't be processed and a list of possible matches

Get-CimInstance -Clas win32_operatingsystem
# Clas is part of the ClassName parameter

Obviously this isn’t something that you should be running wild with and using in all your production code, but maybe it’ll explain how some random code you found on the internet works.

Normally in PowerShell if you want to report progress on a long running task, you’d use a progress bar using the Write-Progress cmdlet. That’s definitely the right way to do this, but what if you wanted a different way… for some reason? In the PowerShell Slack (invite yourself: slack.poshcode.org), I recently answered this question: “I want to write out ‘There are 3 seconds remaining. There are 2 seconds remaining.’ etc. until there are no seconds remaining and then keep going, but I don’t want them all to appear on the different lines. I basically just want the number to update.”

This gif shows what the question asker was after (except instead of counting up, they wanted a countdown).

So, then, how do we get that? Well, the answer is ANSI Escape Sequences! These are encoded instructions included in a string to direct the console about how to change or manipulate the output. I use them in my prompt.

First, let’s just get our countdown - er, I mean countup… working. This is pretty straight forward.

1..10 | % { "There are $_ s remaining"; start-sleep -seconds 1 }

This will write everything on its own line, like this.

There are 1 s remaining
There are 2 s remaining
There are 3 s remaining
There are 4 s remaining
There are 5 s remaining
There are 6 s remaining
There are 7 s remaining
There are 8 s remaining
There are 9 s remaining
There are 10 s remaining

Now, for the fanciness, what we really want is for the same line to get overwritten.

You can write an ESC inside of a string just like you would any other character. It’s represented by char 27. So we’ll set that equal to a variable $E.

$E = [char]27

Now we can embed it in strings, and we just need the rest of the sequence. If you scroll enough on that Wikipedia page linked above, you’ll get to the CSI sequences section, which basically all start with the escape character and then an open square bracket (this character: [). At the bottom of the table, you’ll notice s and u sequences for saving and restoring the cursor position.

So all we need to do is save the cursor position when we start, and then restore it each time we want to overwrite the line.

"${E}[s"
1..10 | % { "${E}[uThere are $_ s remaining"; Start-Sleep -Seconds 1 }

On the first line, all I’m doing is saving the cursor position. I wrap the E in $E in curly braces so it doesn’t think the square brace or the s is part of the name of the variable. You don’t have to do this for this escape sequence since the square brace isn’t a valid character in a variable name, but for some other ANSI stuff, you might want to get into this habit.

Then on the next line, I’ve just got a foreach-object loop (alias is %) that writes the same line over and over and sleeps for one second. The line it writes restores the cursor position to the one that was saved on the line above and then just writes “There are x s remaining”. We’re overwriting the same line over and over.

This works in our scenario because the line we’re writing text of the same length or longer. If you want to see this activity look a little odd, you can try something like this.

"${E}[sHello"
start-sleep -seconds 1
"${E}[uHi"

We’re saving the cursor position, writing “Hello”, waiting a second, then restoring the cursor position and writing “Hi”. We’ll see “Hello” for a second then the resulting line that comes afterwards looks like this.

Hillo

This happens because we restored the cursor position and just started writing more characters. So, be careful of this if you’re using this trick in your own scripts. You can use the .PadRight() and .PadLeft() methods that are built into strings to try to fix this, or something more dynamic like detect the length of the strings you’re writing.

"${E}[sHello"
start-sleep -seconds 1
"${E}[uHi".PadRight(20)

Notice on the last line, I’m using the .PadRight() method to add 20 characters of whitespace which will overwrite all of the rest of the text that wasn’t being overwritten before.

Working with Azure resources can be a bit of an adventure sometimes. Say you want to update a tag on an Azure resource. Not remove it, but change its value. If you try to add a tag with the same name but different value, you’ll get an error that the tag already exists. Some of the ways you have available to get rid of a tag involve dropping all the other tags assigned to a resource. So, what do you do?

In this example, I have a couple VMs with a tag named “user” and a value of “thmsrynr”, and I want to keep the tag but change the value to “Thomas”.

Well, this extravagant one-liner will do the trick.

Find-AzureRmResource -TagName user | 
    ForEach-Object { Get-AzureRmResource -ResourceId $_.ResourceId |
    ForEach-Object { $tags = $_.Tags; 
                     $tags['user'] = 'Thomas'; 
                     Set-AzureRmResource -Tag $tags -ResourceId $_.ResourceId } }

I like Find-AzureRmResource best for searching for resources with a specific tag, but it doesn’t return the tags for some reason that is beyond me. You can search by tag but the tags aren’t returned? Weird, right?

Anyway, I pipe everything I find into Get-AzureRmResource which is bad at searching for resources but DOES return the tags. Then for the resource I find, I store the tags on that resource in a temporary variable (named $tags), and then I work with the variable instead of working directly with the Azure object to update the “user” tag I care about. Then I set the tags on that resource to be what I stored. This should keep all the other tags intact, and update the value of one specific tag.

You could, and probably should, expand this into a more flexible function with parameters and filtering and such, but this example shows you how the tricky bits work.

I’m very excited to share that my newest Pluralsight course was published over the weekend: Azure Automation: Diving Deeper. This builds on my first course, Getting Started with Azure Automation.

Pluralsight is a paid service but trials are available, and it’s a benefit of having an MSDN subscription. They’ve got thousands of hours of good stuff for people working in all areas of technology, including my new course.

My Azure Automation: Diving Deeper course will teach you everything you need to know to put Azure Automation on your resume, market yourself as an IT Automation pro, and increase your worth as a professional. Please check it out and don’t hesitate to contact me with any questions or feedback.

As a Pluralsight author, I am compensated for creating courses, so this is technically a sponsored post. I do, however, truly believe in their service, and think that many people who read my blog may benefit from watching my courses.

First and foremost, HTML is not regex friendly. You should not try to parse HTML in PowerShell, or using regular expressions unless you’ve lost some kind of bet or want to punish yourself for something. PowerShell has things like ConvertTo-HTML that will make that kind of thing way less migraine inducing.

That said, I recently had a situation where I just wanted to strip all the HTML tags out of a string. My input looked something like this (assigned to a variable $html).

<html>
<body>
<p>This is an important value</p>
</body>
</html>

All I want is the “This is an important value” part, so this seemed like a place where the “don’t use regex on HTML” rule could be broken. It’s even a pretty simple regex.

$html -replace '(<\/*\w+?>){1,}'

You’ll have to wrap it in round brackets and use a .trim() to clean up white space, but this will work for the “get rid of the HTML” goal. Let’s break down this regular expression to see what it’s doing.

Starting on the far right side, the {1,} is specifying “one or more” or the pattern that precedes it, in this case, the rest of the expression wrapped in round brackets. Inside those round brackets is a patter which states “an angle bracket (<), zero or more forward slashes escaped by a back slash (\/*), as many alphanumeric characters as it takes (\w+?) to get to a closing angle bracket (>)”. It just rolls off the tongue, right?

Basically we’re looking for any opening or closing HTML tag. We’re not capturing some HTML, though like img or a tags that can have other values inside them (like <img src=”pic.png” />) but the regex in this example can easily be built upon to include examples like that, now that you’ve got this far. You could even just replace the \w with [^>] which means “any character except a closing angel bracket”.

Happy regexing!

When you double click a file in Explorer.exe, it automatically opens in its default program if it has one associated with its type. But did you know you can do the same thing using PowerShell?

Most people are aware of Start-Process, the PowerShell cmdlet for starting processes on the computer, but most people just use it for executing things they’d normally just look to run in cmd.exe like installers. But Start-Process has a -FilePath parameter that you can use to open a file in its default program.

Start-Process -FilePath C:\temp\opens-in-excel.csv

On my computer, this command opens the given CSV in Excel. This is handy in situations where you’re poking around in the console, exporting files, and then perhaps you wish to open that file and rather than clicking around inefficiently through Explorer.exe, you can just launch it from the PowerShell CLI.

In PowerShell, there is usually at least a few ways to do most tasks and detecting if the last command resulted in an error or if it worked is no exception. You could wrap code in a try/catch block, but sometimes that’s overkill. Regardless of your reason for wanting to get the work/borked status of the last command, here are a couple simple ways of doing it.

The Get-History cmdlet is a great way to get this and other information for commands you executed in your current session. If you run it, you’ll get an ID and a “CommandLine” which is the command that you ran, but if you pipe into Select-Object -Property *, you’ll see that there’s also an ExecutionStatus and times for start and end. That ExecutionStatus is what you’re looking for in this case.

If you just run Get-History | Select * then you’ll get those pieces of information for every command you ran in your current session. If you only want to see the information for the last command you ran, just remember that you’re working with an array and run (Get-History)[-1] | Select *. That will get the last item in the array of command information returned by Get-History and show you that info.

If you truly just want to know if the last command completed successfully or not, there’s a special variable built into PowerShell for it. It’s $?. Just type $? into your console and you’ll get back either True or False, a boolean value for if the last command completed successfully or not. Pretty handy shortcut, no?

Are you a user group leader or event organizer who’s looking for speakers? I’d love to connect. I do my best to keep my eye out for CFPs and other speaker solicitations, but it doesn’t hurt to advertise my availability. Most of the dates I’m available to travel for speaking events in 2018 are taken, but I still have a bunch of dates I’m available to do virtual and remote events.

Here’s a list of sessions and their abstracts that I’ve got prepared and would love to present. If you see one you like, I’m best reached by email at thmsrynr@outlook.com or on Twitter at @MrThomasRayner. My bio is on the About page of this blog. If you like me but don’t see a session your attendees would love, I hope you’ll reach out anyway and we can see what I can come up with specifically for your event.

Session List:

PowerShell Release Management in Action

A year ago, I created a release pipeline for my team’s PowerShell code. It got off to a rocky start but we’re cruising now. Come see what I delivered and how it works. I’ll also tell you what went well, how it evolved, and the outright mistakes I made.

In this session, I’ll be talking about the real, in-production, actually being used release management program that I delivered, manage and participate in at my current job. This isn’t some theoretical thing tossed together for a couple blog posts, or hobbled together for use with one community project. My team and I use this on every PowerShell coding project we take on. It’s flexible enough to be a one size fits (almost) all solution, while being rigid enough to ensure top quality for the solutions we deliver.

I’ll show attendees a real example of a request for automation going through the entire release management process, and share details about what I found worked well, what seemed like a good idea at the time, and managing obscure expectations laid upon me by management. I’ll cover everything from “I have an idea for some code” to “code’s running in prod”, and everything in between.

I Did DevOps Wrong But You Don't Have To

It’s a popular term so, you know probably feel like you know what DevOps is, may be trying to implement it where you work, and are maybe even doing a good job. On the other hand, maybe not. Either way, I tried and failed a bunch before getting it right. Come learn from my mistakes!

If something is hard, that usually means it’s worth doing. I’ve been down the “heard of DevOps before anyone else I work with” and the “I saw Don Jones describe the DevOps or ‘would you like fries with that’ choice” path , I got enthusiastic and wanted to ram DevOps principles down everyone’s throat. Guess what? Sometimes people resist change. Surprise! In this session, I’ll tell you about the mistakes I made, how I sold my organization on DevOps, and all the ways I’ve seen organizations screw DevOps up so you can avoid my mistakes.

A Crash Course in Writing Your Own PSScriptAnalyzer Rules

PSScriptAnalyzer is great. You use it to check all your code to make sure it follows PowerShell best practices, right? In this session, I’ll show you how to take your PSScriptAnalyzer skills to the next level by showing you how to write your own custom rules, and make PSSA check your code for them.

PSScriptAnalyzer is great, not just because it comes with a bunch of rules that Microsoft and the community support, but because it allows you to put your own rules on top of (or instead of) it. Maybe you want to make sure that you’re using camelCase for your variables but PascalCase for your parameters. You’re going to need to write your own rule for that one. Writing your own PSSA rules can be intimidating up front, but I’m going to share some examples of rules I’ve written, used, and even got implemented as rules included with PSSA, to show attendees the unique authoring process, how to get started ripping apart the AST, and making their lives better with custom PSSA rules.

Remote Management of SQL Servers with PowerShell

Whether you’ve tried out PowerShell or not, make no mistake: PowerShell is here to stay. As a SQL Server pro, it’s in your interest to learn this powerful and robust language, and use it to automate tasks you come across regularly.

Join Thomas Rayner, PowerShell MVP and Honorary Scripting Guy, in this demo-packed session and learn about some of the different PowerShell-based tools available to you. You’ll be riding along with a PowerShell Pro, building a proof-of-concept script that uses different techniques to administer SQL servers.

DevOps Questions Answered

Come join Microsoft MVP and Honorary Scripting Guy Thomas Rayner to chat all about an explosively popular IT methodology: DevOps. Whether you’ve never heard of the term before, or you’re in the midst of adopting DevOps methods, bring your questions to this interactive session, or email them ahead of time to <todo: insert email address>. In this open discussion session, feel free to chime in with your own experiences, ask whatever questions come to mind, or just soak it all in.

Azure Portal vs Azure PowerShell Module Smackdown

Lots of people depend on the Azure Portal (accessed through the web browser) to administer Azure. The AzureRM PowerShell module, however, offers the same and often more features than the Portal does, and opens the door to automate administrative tasks in ways that are impossible through the GUI.

In this demo-heavy session, you’ll learn where the overlaps are, and what’s unique between these two options for administering Azure. Plus, you’ll pick up some quick tips for automating mundane and time-consuming Azure-related tasks.

Introduction to Azure Blob Storage

Azure Blob Storage is an exa-scale storage service from Azure that allows for scalable, efficient storage for petabytes of unstructured data. In this session, you’ll see a couple accessible demonstrations of how this service can be used.

Regex for Complete Noobs

Regular expressions are sequences of characters that define a search pattern, mainly for use in pattern matching with strings. Regular expressions are extremely useful to extract information from text such as log files or documents. If you don’t know basic regex, you’re missing out on a hugely important tool. Get some knowledge in you, and check out this session on regex.

The Gift of Community

Microsoft MVPs have hugely diverse backgrounds, expertise, and strengths, but one thing every MVP shares is a passion for COMMUNITY. Giving back to the technical community is how MVPs get awarded, but getting awarded is not why MVPs do what they do. Join us in this session to learn about participating in technical communities, and you’ll find the motivation to get going too!

Writing Your First Azure Automation Runbook

Azure Automation is a core service offered by Azure that allows people to run scripts and workflows unattended, on a schedule, on demand, on infrastructure they don’t have to worry about. Azure Automation is a very flexible tool that anyone with any Azure presence at all should be looking into.

In this demo-heavy session, you’ll get a short crash course in writing your first Azure Automation runbook from Thomas Rayner, who’s responsible for several Azure Automation PluralSight courses.

Writing Your First Azure Function

Rather than worrying about maintaining servers, Azure Functions allow you to focus on building great apps. Functions provides a fully managed compute platform with high reliability and security. With Scale on demand you get the resources you need, when you need them. You can create functions in tons of languages including JavaScript, C#, F#, Python, PHP, Bash, Batch, and of course, PowerShell.

In this demo-heavy session, you’ll see how to create a simple Azure Function and learn the fundamental skills needed to take advantage of this powerful, flexible platform.

Stupid PowerShell Tricks

Don’t get got by these gotchas. Come learn how to avoid some common troubles, and discover some new tricks in PowerShell that will take your scripts to the next level. Take it from this pro, it’s better to hear about these tricks in this session than after fighting with a script for a week.

How To Write (PowerShell) Code That Doesn't Suck

Do you write code? Even a little? Coding is quickly becoming a necessary skill to have. We’re going to get into some of the things that makes your code sad, and some of the things you can do to make it happy again. Want to know how to make your scripts run faster? Want to know how to get other people to stop asking you how your code works? Want to be a valuable member of the IT community? Well, get in here and I’ll show you.

There are a handful of different ways to create custom objects in PowerShell, including building one from a hash table. You might do something like this.

PS> $props = @{'prop1' = 1; 'prop2' = 2}
PS> $obj = New-Object -TypeName PSObject -Property $props

But then, just run $obj and see what you get. This is what I got.

PS> $obj

prop2 prop1
----- -----
    2     1

It put prop2 before prop1 even though I put prop1 first in the hash table! Most of the time, this doesn’t matter, but what about when it does?

Sure, you could use Select-Object to accomplish this.

PS> $obj | Select-Object -Property prop1,prop2

prop1 prop2
----- -----
    1     2

But that seems excessively verbose and inefficient. Luckily there is a better way. Introducing Ordered Hash Tables!

Ordered hash tables are pretty much what they sound like. By default, a hash table is a collection of objects (key and value pairs) whose order isn’t important. An ordered hash table is the same thing, but where the order they are in the hash table matters, and they’re pretty easy to use. Our first lines of code from this example becomes this.

PS> $props = [ordered]@{'prop1' = 1; 'prop2' = 2}
PS> $obj = New-Object -TypeName PSObject -Property $props

Just add the [ordered]  accelerator to the hash table, and now PowerShell will respect the order that you enter items into your hash table.

Starting now, I’m experimenting with new post formats on my blog. Instead of just technical posts describing code, I’m going to begin posting some more free-form articles. Like this one, where I’m going to share a story with you that has some moral relating back to IT.

It was the start of December 2017 and I was in Toronto to attend MVP Community Connection day, which is an event exclusively for Microsoft MVPs where we get together, socialize and connect with each other and Microsoft employees, get a little soft skills training, and provide feedback on things we’d like to see from Microsoft in the upcoming months. MVPs from across Canada traveled to Toronto to enjoy this always enjoyable event.

Microsoft is kind enough to supply accommodations at a hotel I won’t name, and I had the great pleasure of sharing a room with fellow MVP and all-round good guy, Will Anderson. We had a great time except for one small inconvenience. From the moment we first used it, it was apparent that our toilet had issues. This thing wouldn’t even flush the water that it filled itself up with. I know what you’re thinking, but we treated it with respect.

[caption id=”attachment_669” align=”alignleft” width=”300”] Will and myself at MVP Summit 2016, preparing content for the 10th anniversary of PowerShell celebration.[/caption]

No big deal, we called the front desk and asked them to send someone to try and fix it. One more problem, though. It was after midnight by the time we got back to our room and that meant the normal maintenance people had gone home. So, the person they sent shows up empty handed, tries flushing the toilet again (like we didn’t try that), and said that was all she could do. Neither Will nor myself are plumbers, but we suggested maybe this person might try to use a plunger on the situation. She replied that she did not have the key to the plunger but could send someone at 7 AM with one. That’s right. This person responding to our potential plumbing emergency did not have the key to the plunger. Luckily, we didn’t have any urgent “needs” and nothing was in any risk of impending doom.

What’s the moral here? How does this relate to IT? Well, imagine you find yourself in an emergency situation - you’ve been hit by ransomware, your CFO’s Active Directory credentials have been compromised, a Hyper-V host just went down, or some other metaphorical “toilet” has become “clogged”. You have people there who are willing to help, just like Will and I had this maintenance person in the hotel, but are they able to actually do what they need to do in an emergency?

Say your IT staff need to respond to an emergency. Have they practiced normal emergency response scenarios? Does everyone know their role and responsibilities? Is anyone going to get stuck on managerial approval, missing a privilege, or following out dated instructions? Obviously safety measures and safeguards are important, but there’s a point of diminishing returns (can’t unclog a toilet because you don’t have the plunger key, can’t temporarily disable a compromised CFO’s account because you don’t have permission to disable executives’ accounts, etc.).

In addition to making sure you haven’t hit that point of diminishing returns with your IT safeguards, know that your disaster recovery and emergency reaction manuals are only as valid as the last time you tested them. You might be doing a great job of backing up your NAS every night, but how good are you at restoring it?

The bottom line is: make sure you stay out of your own way when it comes to IT emergencies, and test to make sure your steps to respond are actually valid. It could save you a lot of pain and embarrassment one day!

In the PowerShell Slack, I recently answered a question along these lines. Say you have a string that reads “first thing {} second thing {}” and you want to get to “first thing {0} second thing {1}” so that you can use the -f  operator to insert values into those spots. For instance…

"first thing {0} second thing {1}" -f $(get-date -format yyyy-MM-dd), $(get-random)
# Will return "first thing 2018-01-10 second thing <a random number>"

The question is: how can you replace the {}’s in the string to {<current number>}?

You might think you could do something like this.

$string = 'first thing {} second thing {}'
$i = 0
[regex]::replace($string, "\{\}", {"{$($i)}"; $i++})

But you’d be disappointed.

If you’re not sure what’s going on, the [regex] accelerator has a replace  method that works like -replace  does. It takes three arguments: the string that is being worked on, the pattern being detected, and what to replace the pattern with. In this case, I gave it a scriptblock to replace it with the value of $i  and then increment the value of the variable by one. Unfortunately, it doesn’t look like $i  gets incremented. Everything gets replaced with a {0}  instead of an incremented number.

Long story short, this is a PowerShell scoping issue. If you make $i  a part of a bigger scope like global, script, or something that makes sense for your situation, you’ll get the results you desire (global is probably not the best choice).

$string = 'first thing {} second thing {}'
$global:i = 0
[regex]::replace($string, "\{\}", {"{$($global:i)}"; $global:i++})

#returns first thing {0} second thing {1}

And this will work just fine in your -f  replacement operations!

If you’re a frequent reader of my blog, you know that I mostly post about PowerShell, Microsoft related automation, and that sort of thing. In a previous life, however, I thought I wanted to make a career out of infosec - particularly penetration testing and red team type of stuff. I’m super happy with where my career went instead, but from time to time, I enjoy attempting to knock some of the rust off my ethical hacking/pentesting skills (what little of them there are), and trying my hand at some vulnerable by design boxes. Since it’s the holiday season, I decided to switch things up a little bit for the last couple blog posts.

HackTheBox.eu offers a cool variety of vulnerable by design virtual machines for people to practice their pentesting skills against. There are strict rules about sharing spoilers for “active” boxes, but there are only so many of those, and lots of “retired” boxes are available as well. In today’s post I’m going to share a walkthrough of how I did the retired box “Apocalyst”.

I am not a professional penetration tester or red teamer, nor is this meant to be the type of write up that I’d provide to a client if I was doing this for money. This is just a summary of what I did to get the user and root flags on the box. I’m not going to get into any of the rabbit holes or areas that didn’t lead to a solution (because this isn’t a real write up).

First things first, I ran nmap to see what might be up and running on the box. I ran safe scripts, enumerated versions, and saved all output with the file basename “nmap”.

nmap -sC -sV -oA nmap 10.10.10.46

You’ll quickly find a Wordpress site is up and running. If you run wpscan –enumerate u or just look around at some of the posts, you’ll find a username: falaraki. If you use dirbuster and any of the normal wordlists, you may have a challenging time. I used cewl to make a wordlist for dirbuster after receiving a small nudge in the HTB Slack channel. You’ll find a whole pile of directories, each one containing a seemingly identical image. Sounds like we’re in for everybody’s favorite thing in the world: steganography!

I wrote a quick script to download all of them because I love taking up tons of diskspace on my VM, and you’ll find that the image in the “Rightiousness” directory looks the same as the others but has a larger file size. You can use steghide extract -sf rightiousness.jpg with no password to extract a wordlist hidden in the larger image. Maybe this is why the box is called Apocalyst… apoca… list. Wordlist. Maybe.

I used hydra on the Wordpress login page with the falaraki username I found earlier and the wordlist that came out of the image. The Wordpress password for falaraki is in the list, and I got in. This password does not work for the same user or root on SSH. As far as I could tell, the stegoed wordlist doesn’t contain any other useful passwords.

I uploaded my own plugin to the Wordpress site, since falaraki is a Wordpress admin, which executed PHP to get the user flag and a reverse shell onto the box as the www-data user.

If you explore /home/falaraki, you’ll find a hidden file named “.secret”. Check it out, and you’ll see pretty quickly that it’s a base64 encoded file. Decode it to find a password for falaraki that you can use to SSH into the box, elevating yourself from www-data to falaraki.

After running some privilege escalation enumeration scripts, it quickly became apparent that falaraki has write permissions on /etc/passwd, so I added a uid 0 user with a password that I knew, authenticated as that user, and used my root privileges to get the root flag.

Overall, I didn’t love this box. It felt a little too capture-the-flag-y with all the images and then a wordlist being what was hidden via steganography. Still, I learned about some basic stego techniques which I appreciated, and exploiting the ability to upload my own Wordpress plugins.

If you’re a frequent reader of my blog, you know that I mostly post about PowerShell, Microsoft related automation, and that sort of thing. In a previous life, however, I thought I wanted to make a career out of infosec - particularly penetration testing and red team type of stuff. I’m super happy with where my career went instead, but from time to time, I enjoy attempting to knock some of the rust off my ethical hacking/pentesting skills (what little of them there are), and trying my hand at some vulnerable by design boxes. Since it’s the holiday season, I decided to switch things up a little bit for the next couple blog posts.

HackTheBox.eu offers a cool variety of vulnerable by design virtual machines for people to practice their pentesting skills against. There are strict rules about sharing spoilers for “active” boxes, but there are only so many of those, and lots of “retired” boxes are available as well. In today’s post I’m going to share a walkthrough of how I did the retired box “Blocky”.

I am not a professional penetration tester or red teamer, nor is this meant to be the type of write up that I’d provide to a client if I was doing this for money. This is just a summary of what I did to get the user and root flags on the box. I’m not going to get into any of the rabbit holes or areas that didn’t lead to a solution (because this isn’t a real write up).

First things first, I ran nmap to see what might be up and running on the box. I ran safe scripts, enumerated versions, and saved all output with the file basename “nmap”.

nmap -sC -sV -oA nmap 10.10.10.37

You’ll quickly see that there is a Wordpress site running, and when you visit it, it appears to be a place for information on someone’s Minecraft server. After some basic poking around, and taking notice of the “Notch” username of the person who made all the posts on the site, I ran dirbuster on it to find any possibly interesting directories or files.

Poking around in the dirbuster results, I found a /wp-content/uploads folder that contained two .jar files. It was around this time that I learned that .jar files are basically just archives and can be unzipped with things like unzip on the Linux CLI. Predictably, there are some .class files in the extracted data, which can be decompiled using javap.

If you search through the decompiled classes, you’ll find a hard coded password for “root”. This isn’t the root password, but rather is for something Minecraft related. Still, it seemed too good to be true, so I started sticking it other places, using the “Notch” username that was found earlier.

Turns out, password re-use is at play here and you can SSH into Blocky using the “Notch” account and the password from the decompiled .class. Notch can read the user flag.

I spent far too long enumerating and poking around looking for a privilege escalation of some kind, when if you just run sudo -l, you’ll see that Notch has full rights, and so you can sudo anything you want, including reading the root flag.

Even though Blocky was a very easy box to pop, I still learned about extracting jars and decompiling classes, which made me appreciate it for what it is. I also learned that there are a few pieces of low-hanging privilege escalation fruit to check on every box before going too nuts enumerating everything.

If you’re a frequent reader of my blog, you know that I mostly post about PowerShell, Microsoft related automation, and that sort of thing. In a previous life, however, I thought I wanted to make a career out of infosec - particularly penetration testing and red team type of stuff. I’m super happy with where my career went instead, but from time to time, I enjoy attempting to knock some of the rust off my ethical hacking/pentesting skills (what little of them there are), and trying my hand at some vulnerable by design boxes. Since it’s the holiday season, I decided to switch things up a little bit for the next couple blog posts.

HackTheBox.eu offers a cool variety of vulnerable by design virtual machines for people to practice their pentesting skills against. There are strict rules about sharing spoilers for “active” boxes, but there are only so many of those, and lots of “retired” boxes are available as well. In today’s post I’m going to share a walkthrough of how I did the retired box “Europa”.

I am not a professional penetration tester or red teamer, nor is this meant to be the type of write up that I’d provide to a client if I was doing this for money. This is just a summary of what I did to get the user and root flags on the box. I’m not going to get into any of the rabbit holes or areas that didn’t lead to a solution (because this isn’t a real write up).

First things first, I ran nmap to see what might be up and running on the box. I ran safe scripts, enumerated versions, and saved all output with the file basename “nmap”.

nmap -sC -sV -oA nmap 10.10.10.22

Among other things, one of the items that is immediately revealed is that Europa is running a web server, and has an SSL certificate protecting the HTTPS part. Right there in the nmap output, you can see that the certificate has a subject alternative name for an “admin-portal” subdomain.

Obviously with a name as juicy as “admin-portal”, that’s where I’m going to start. You can find the login.php page there. As with any login form, I tried a couple manual SQL injection techniques but wasn’t immediately granted access, so I used Burpsuite to capture a post request to login.php and sent it over to sqlmap. Eventually sqlmap will pop that login form open for you and get you redirected to dashboard.php.

Poking around the admin portal, you’ll quickly find a page named tools.php that has a “VPN config builder”. It appears to be doing some sort of find and replace to plug in a value that you provide. Immediately, this seems like a place to insert some code.

Capture one of the posts to the config builder and you’ll see that there are actually a few variables being sent. One for the pattern being detected (where the “IP” will be inserted), the IP/value that will be inserted into the config, and a base for the config itself (which includes the pattern in the first variable. PHP uses a function called preg_replace to do this kind of find and replace functionality, and doesn’t execute code by default. There is, however, a way to make it do just that.

If you replace the IP address to be inserted into the config with bash code, it will take the literal bash code that you entered and write that out without executing it. If you append an “e” to the first argument that preg_replace takes, though, then it will evaluate the bash code and replace your pattern with the value. So if you change the pattern to “/mything/e”, the value to replace it with (variable named IP) to some bash code, and then the rest of the config to just be “mything”, that will make it easier to comb through the output. This can all be done in Burpsuite repeater, and you’ll see the output of the bash command you put in the IP field instead of the literal string that you put in there. You can use this technique to get the user flag and to create a reverse shell.

If you run any decent privilege escalation enumeration script after you’re logged in with your reverse shell (I prefer LinEnum.sh but I’m a noob so do what you like), you’ll see that there is an unusual PHP file being executed by root via cron every minute. You can read it and see that it clears logs and then calls another script when it’s done. This second script that it calls is world writable, so you can put anything you want in it, and it will be executed as root in about a minute. You can use this technique to get the root flag, and you’re done.

Overall, I enjoyed this box. I learned about the preg_replace attack vector which I didn’t previously know about, and I like learning new things. The privesc was really straight forward, but sometimes that’s not so bad.

Working with strings in PowerShell is fun, I don’t care what you say. In this post, I’m going to show you how to clean up the strings your code outputs, at least in some situations.

Say you have a variable $fileExtensions which you populated with this command.

PS> $fileExtensions = Get-ChildItem | Group-Object -Property Extension

And, for some reason, instead of the default output which is formatted like a table, I want output presented like this.

.ps1     file extension: 11
.xlsx    file extension: 3
.dll     file extension: 1

This is a silly example, but notice that even though there are extensions of varying length (.ps1 and .dll are four characters including the dot, and .xlsx is five), all of the “file extension: <number>” is aligned.

How’d I do that? Let’s start with some code that doesn’t work.

PS> $fileExtensions | foreach-object { "$($_.Name) file extension: $($_.Count)" }

.ps1 file extension: 11
.xlsx file extension: 3
.dll file extension: 3

How incredibly unfortunately unattractive! Luckily, it’s not too hard to fix. Check out this code.

PS> $fileExtensions | foreach-object { "{0,-8} file extension: {1}" -f $_.Name, $_.Count }


.ps1     file extension: 11
.xlsx    file extension: 3
.dll     file extension: 3

Oh yes look at that goodness. In this example I’m using the -f  operator to insert the variables into the string. Let’s break down the new string I’m creating.

{0} and {1] are basically placeholders. The -f operator is going to insert the variables that come after it ($_.Name and $_.Count) into the 0 and 1 spots.

The ,-8 is a formatting instruction. The 8 means that this part of the string is going to be a column that takes up 8 characters worth of space. The negative sign means that the data inserted is left aligned. If I had used “positive eight” it would have been right aligned.

Now you can take this and run, to do fun things like this.

# Input
$header = "[$(Get-Date -format G)]"
Write-Output "$header First line"
Write-Output $("{0,$($header.Length)} Second line" -f " ")
Write-Output $("{0,$($header.Length)} Third line" -f " ")

# Output

[11/2/2017 12:47:58 PM] First line
                        Second line
                        Third line

If you’re just getting started in PowerShell, it’s possible that you haven’t bumped into this specific issue yet. Perhaps you’ve got a variable $users and you’re assigning it a value like this.

PS> $users = Get-ADUser -Filter "samaccountname -like '*thmsrynr'"

This will get all the users in your Active Directory whose username ends with “thmsrynr”.

Great! Now how many users got returned? We can check the Count property to find out.

PS> $users.Count
3

Looks like there are three users in my AD that got returned. Now the problem at hand, what if there’s only one user returned? What if only one user in my AD has that kind of username? I’ll end up with this.

PS> $users.Count
# Nothing gets returned...

Even though I can do this and see there is one user in there.

PS> $users

DistinguishedName : CN=ThmsRynr,OU=Users,DC=PCLINC,DC=domain,DC=tld
Enabled           : True
GivenName         : Thomas
Name              : Thomas Rayner
ObjectClass       : user
ObjectGUID        : <snip>
SamAccountName    : ThmsRynr
SID               : <snip>
Surname           : Rayner
UserPrincipalName : thmsrynr@outlook.com

What if I was doing something like this?

if ($users.Count -gt 0) {
    # Do something
}
else {
    # Do something else
}

Since $users.Count is null even when there’s one user in there, my if statement won’t work correctly. Well, you can take a bit of a shortcut and do something a bit different when you’re assigning a value to $users.

$users = @(Get-AdUser -Filter "samaccountname -like '*thmsrynr'")

By wrapping the command in @( ) we are forcing $users to be an array even if only one item is returned.

This issue happens because PowerShell loves to unroll arrays and other collections for you. By doing this workaround, if there’s only one AD user whose username ends in thmsrynr, you’ll still end up with an array with a single item in it, and $users.Count will return “1” like you expected.

If you’re just getting started in PowerShell, it’s possible that you haven’t bumped into this specific issue yet. Say you’ve got a variable named $user and this is how you assigned a value to it.

$user = Get-AdUser ThmsRynr

Using the Active Directory module, you got a specific user. Now, you want to report two properties back to the end user: SamAccountName and Enabled. The desired output looks like this:

The account ThmsRynr has enabled status of True.

So, you try something like this.

Write-Output "The account $user.SamAccountName has the enabled status of $user.Enabled"

And you’ll get something totally unexpected!

The account CN=ThmsRynr,OU=Users,DC=domain,DC=tld.SamAccountName has the enabled status of CN=ThmsRynr,OU=Users,DC=domain,DC=tld.Enabled

Whaaaat? That’s not what we want. What happened? It looks like I got the distinguished name of the user and then literally “.SamAccountName” and “.Enabled”. Doesn’t PowerShell know that I actually want the SamAccountName and Enabled properties?

Well, the short answer is no, PowerShell doesn’t know that. What if you had a variable $domain set to “workingsysadmin” and wanted to do Write-Output “$domain.com” to get “workingsysadmin.com” written out? PowerShell doesn’t know if you’re trying to access a property on the variable, or work with .com (or .SamAccountName or .Enabled) as a literal string.

So what do we do? We’ll use some brackets.

Write-Output "The account $($user.SamAccountName) has the enabled status of $($user.Enabled)"

This will give the desired output. What we’ve done is use $( ) to tell PowerShell that we want to evaluate the entire expression wrapped in those brackets, and use that in our string.

If you’ve used the Azure Resource Manager (AzureRM) PowerShell module much, you may have noticed it may sometimes behave strangely. In this post, I’m going to share one that had me stuck for longer than I care to admit…

So, here’s the situation. I was working in the PowerShell console, looking to enumerate the automation schedules (that kick off Azure Automation runbooks) in one automation account. I ran this command to get started.

Get-AzureRmAutomationSchedule -ResourceGroupName 'my-rg' -AutomationAccountName 'my-aa'

I got predictable output, too. Here’s the example output for one of the schedules.

StartTime              : 9/30/2017 12:01:00 PM -06:00
ExpiryTime             : 12/31/9999 4:59:00 PM -07:00
IsEnabled              : True
NextRun                : 11/30/2017 12:01:00 PM -07:00
Interval               : 1
Frequency              : Month
MonthlyScheduleOptions :
WeeklyScheduleOptions  :
TimeZone               : America/Denver
ResourceGroupName      : my-rg
AutomationAccountName  : my-aa
Name                   : General Name
CreationTime           : 9/20/2017 10:26:26 AM -06:00
LastModifiedTime       : 9/20/2017 10:26:26 AM -06:00
Description            :

There’s just one problem. I know for a fact this schedule runs on the last day of every month, and includes data in the MonthlyScheduleOptions field which is empty above. What gives?

Well, as it turns out, the monthly and weekly schedule options are only returned if you specify a specific automation schedule like this.

Get-AzureRmAutomationSchedule -ResourceGroupName 'my-rg' -AutomationAccountName 'my-aa' -name 'General Name'

Now I get this output.

StartTime              : 9/30/2017 12:01:00 PM -06:00
ExpiryTime             : 12/31/9999 4:59:00 PM -07:00
IsEnabled              : True
NextRun                : 11/30/2017 12:01:00 PM -07:00
Interval               : 1
Frequency              : Month
MonthlyScheduleOptions : Microsoft.Azure.Commands.Automation.Model.MonthlyScheduleOptions
WeeklyScheduleOptions  : Microsoft.Azure.Commands.Automation.Model.WeeklyScheduleOptions
TimeZone               : America/Denver
ResourceGroupName      : my-rg
AutomationAccountName  : my-aa
Name                   : General Name
CreationTime           : 9/20/2017 10:26:26 AM -06:00
LastModifiedTime       : 9/20/2017 10:26:26 AM -06:00
Description            :

That on it’s own isn’t useful because it’s just showing me the type of object that’s there, but I can do something like this to get more meaningful output (for my purposes here).

Get-AzureRmAutomationSchedule -ResourceGroupName 'my-rg' -AutomationAccountName 'my-aa' -name 'General Name' | select Name,@{l='DaysOfMonth'; e={$_.MonthlyScheduleOptions.DaysOfMonth}}

And get output like this.

Name                     DaysOfMonth
----                     -----------
General Name             LastDay

There’s more elements in weekly and monthly schedule options than I’m using here, but this is just to highlight the behavior of the Get-AzureRmAutomationSchedule cmdlet. If you don’t specify a value for -Name parameter, then you won’t get all the information back about the schedules you’re seeing.

By the way, there are plenty of other AzureRM cmdlets that work this way. So, if you’re working with Azure in PowerShell and wondering why the AzureRM module doesn’t seem to be giving you all the data that it should, check for the presence of this quirk.

Say you’ve got a hashtable with a bunch of data in it, but the key is not a string. How do you refer to specific items?

You can set something up to experiment with this with this code.

PS> $a = @{}
PS> 1..3 | % { $a.add($(New-Guid), $_) }

Declare $a as a new empty hashtable, and then add three items to it. The key is a GUID, and the value is just a number. You get something like this.

PS> $a

Name                           Value
----                           -----
a2022422-ffe6-4291-a736-c1d... 1
33b8251c-8c09-433c-ae88-666... 3
4d9d41c1-8a0b-4326-ad59-164... 2

Now say you want to refer to the first item in the list whose key/GUID is a2022422-ffe6-4291-a736-c1de97720f25, in my example. You could try any of these.

PS> $a.a2022422-ffe6-4291-a736-c1de97720f25
PS> $a.'a2022422-ffe6-4291-a736-c1de97720f25'
PS> $a['a2022422-ffe6-4291-a736-c1de97720f25']
PS> $a.Item('a2022422-ffe6-4291-a736-c1de97720f25')

But none of these actually return any information. The problem is that the key is a GUID, not a string, but we’re trying to refer to it as a string. Instead, you have to treat it like a GUID.

PS> $a[[guid]'a2022422-ffe6-4291-a736-c1de97720f25']

1

By casting the string as a GUID, you’re telling the hashtable that you’re not just looking for a string. This same thing works for other data types like integers.

I have previously written about working with the ServiceNow API, and I’ve continued to use it since my last post on the topic. One of the things that I find myself doing a lot is using PowerShell to add a work note to an incident. Luckily, ServiceNow has an API that you can use to interact with it and do this (among many other things).

Since I know that all my information is stored in the Incident table, it’s not too many steps to get an incident out of ServiceNow if I have the incident number.

$user = $Credential.Username
$pass = $Credential.GetNetworkCredential().Password
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $pass)))
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add('Authorization',('Basic {0}' -f $base64AuthInfo))
$headers.Add('Accept','application/json')
$uriGetIncident = "https://$SubDomain.service-now.com/api/now/table/incident?sysparm_query=number%3D$SNIncidentNumber&sysparm_fields=&sysparm_limit=1"
$responseGetIncident = Invoke-WebRequest -Headers $headers -Method "GET" -Uri $uriGetIncident
$resultGetIncident = ($responseGetIncident.Content | ConvertFrom-Json).Result

Assuming I already created a credential object named $Credential to hold my ServiceNow creds, I can add do some encoding to assemble them in a way that I can add them to the header of the request I’m about to make. I’m doing that on the first three lines.

On lines 5 - 7, I’m constructing those headers. So far, I’m following all the PowerShell examples given in the ServiceNow documentation and are similar to my last post on using the ServiceNow API.

Line 9 is where I create the URI for the incident get request. You’ll notice I have a variable for both the subdomain (will be unique for your instance of ServiceNow) and the ServiceNow incident number.

Lines 10 and 11 get the incident and parse the results of my request.

Now I can add some work notes.

$workNotesBody = @"
{"work_notes":"$Message"}
"@
$uriPatchIncident = "https://$SubDomain.service-now.com/api/now/table/incident/$($resultGetIncident.sys_id)"
$null = Invoke-WebRequest -Headers $headers -Method "PATCH" -Uri $uriPatchIncident -body $workNotesBody

On lines 1 - 3, I’m making the body of my patch request, to say that I’m adding the value of $Message into the work_notes field of my incident. Line 5 is where I make the URI for this patch activity, using the sys_id that came out of the get query I performed earlier.

On line 5, I’m muting the output of the web request to add the work notes to the incident. I’m reusing the headers I set up for the get query.

Registration for the PowerShell + DevOps Global Summit just opened today. This thing sells out every year so now is the time to start getting approval to attend if you need it, and buy a ticket.

Check out the event brochure for info about the conference. You can use it as leverage to convince whoever needs convincing that you should go. The PowerShell + DevOps Global Summit speaker line up and session schedule is also up right now, and as you’ll see, it’s absolutely stacked. This is also a great chance to meet people who work at Microsoft on the PowerShell (and other) teams, as well as a bunch of MVPs at the top of this field. Make no mistake, this is a crazy good networking opportunity.

There are limited hotel discount codes available, and plane tickets will probably only rise in price as you wait, so get on it if you’re going to come!

Some of the sessions I’m most excited for are Kirk Munro’s Become a PowerShell Debugging Ninja, Warren Frame’s Connecting the Dots with PowerShell, Eli Hess’ PowerShell IoT, Ryan Coates Build Release Pipeline Model For Mere Mortals, Will Anderson’s Automate Problem Solving with PowerShell, Azure Automation and OMS, and of course the session that I’m presenting, A Crash Course in Writing Your Own PSScriptAnalyzer Rules.

It’s going to be really hard to go to a “bad” session, though. With this line up, it’s going to be impossible not to learn something valuable no matter which sessions you attend.

Hope to see you there!

As a best practice, as an administrator you should have separate accounts for your normal activities (emails, IM, normal stuff) and your administrative activities (resetting passwords, creating new mailboxes, etc.). It’s obviously best not to log into your normal workstation as your administrative user. You’re also absolutely not supposed to remote desktop into a domain controller (or another server) just to launch a PowerShell console, import the ActiveDirectory module, and run your commands. Here’s  better way.

We’re going to leverage the $PSDefaultParameterValues built-in variable which allows you to specify default values for cmdlets every time you run them.

First, set up a variable to hold your credentials.

PS> $acred = Get-Credential -Message 'Admin creds'

Now, import the ActiveDirectory module.

PS> Import-Module ActiveDirectory

And finally, a little something special.

PS> $PSDefaultParameterValues += @{ 'activedirectory:\*:Credential' = $acred }

I’m adding a value to my $PSDefaultParameterValues variable. What I’m saying is for all the cmdlets in the ActiveDirectory module, set the -Credential parameter equal to the $acred variable that I set first.

Now when I run any commands using the ActiveDirectory module, they’ll run the the administrative credentials I supplied, instead of the credentials I’m logged into the computer with.

Last week, I wrote a post on the difference between .split() and -split in PowerShell. This week, we’re going to keep splitting strings, but we’re going to try to retain the character that we’re splitting on. Whether you use .split() or -split, when you split a string, it takes that character and essentially turns it into the separation of the two items on either side of it. But, what if I want to keep that character instead of losing it to the split?

Well, we’re going to have to dabble in regular expressions. Before you run away screaming, as I know some people do when it comes to regex, let me walk you through this and see if you don’t mind dipping a toe in these waters.

In our scenario, I’ve got a filename and I’m going to split it based on the slashes in the path. Normally I’d get something like this.

PS> $filename = get-item C:\temp\demo\thing.txt
PS> $filename -split '\\'

C:
temp
demo
thing.txt

Notice how I had to split on “\”? I had to escape that backslash. We’re regexing already! Also notice that I lost the backslash on which I split the string. Now let’s do a tiny bit more regex in our split pattern to retain that backslash.

PS> $filename -split '(?=\\)'

C:
\temp
\demo
\thing.txt

Look at that, we kept our backslash. How? Well look at the pattern we split on: (?=\). That’s what regex calls a “lookahead”. It’s contained in round brackets and the “?=” part basically means “where the next character is a “ and the “\” still means our backslash. So we’re splitting the string on the place in the string where the next character is a backslash. we’re effectively splitting on the space between characters.

NEAT! Now what if I wanted the backslash to be on the other side? That is, at the end of the string on each line instead of the start of the line after? No worries, regex has you covered there, too.

PS> $filename -split '(?<=\\)'

C:\
temp\
demo\
thing.txt

This is a “lookbehind”. It’s the same as a lookahead, except it’s looking for a place where the character to the left matches the pattern, instead of the character to the right. A lookbehind is denoted with the “?<=” characters.

There are plenty of resources online about using lookaheads and lookbehinds in regex, but if you’re not looking specifically for regex resources, you probably wouldn’t have found them. If PowerShell string splitting is what you’re after, hopefully you found this interesting.

Regex isn’t that scary, right?

Here’s a question I see over and over and over again: “I have a string and I’m trying to split it on this part, but it’s jumbling it into a big mess. What’s going on?” Well, there’s splitting a string in PowerShell, and then there’s splitting a string in PowerShell. Confused? Let me explain.

Say you have this string for our example.

PS> $splitstring = 'this is an interesting string with the letters s and t all over the place'

Now let’s say you want to split it on all the “s” characters. You might do this and get these results.

PS> $splitstring.split('s')

thi
 i
 an intere
ting
tring with the letter

 and t all over the place

That did exactly what we thought it would. It took our string and broke it apart on all the “s”’s. Now, what if I want to split it where there’s an “st”? There’s only two spots it should split: the “st” in “interesting” and in “string”. Let’s try the same thing we tried before.

PS> $splitstring.split('st')


hi
 i
 an in
ere

ing

ring wi
h
he le

er

 and
 all over
he place

Well that ain’t right. What happened? If we look closely, we can see that our string was split anywhere that there was an “s” or a “t”, rather than where there was an “st” together.

.split() is a method that takes an array of characters and then splits the string anywhere it sees any of those characters.

-split is an operator that takes a pattern string (regular expression) and splits the string anywhere it sees that pattern.

Here’s what I should have done to split our string anywhere there’s an “st”.

PS> $splitstring -split 'st'

this is an intere
ing
ring with the letters s and t all over the place

That looks more like we’re expecting.

Remember, .split() takes an array of characters, -split takes a string.

In PowerShell, when outputting data to the console, it’s typically either organized into a table or a list. You can force output to take either of these forms using the Format-Table and the Format-List cmdlets, and people who write PowerShell cmdlets and modules can take special steps to make sure their output is formatted as they desire. But, when no developer has specifically asked for a formatted output (for example, by using a .format.ps1xml file to define how an object is formatted), how does PowerShell choose to display a table or a list?

The answer is actually pretty simple and I’m going to highlight it with an example. Take a look at the following piece of code.

PS> get-wmiobject -class win32_operatingsystem | select pscomputername,caption,osarch*,registereduser

PSComputerName  caption                         OSArchitecture registereduser
--------------  -------                         -------------- --------------
workingsysadmin Microsoft Windows 10 Enterprise 64-bit         ThmsRynr@outlook.com

I used Get-WmiObject to get some information about my operating system. I selected four properties and PowerShell decided to display a table. Now, let’s add another property to return.

PS> get-wmiobject -class win32_operatingsystem | select pscomputername,caption,osarch*,registereduser,version


PSComputerName : workingsysadmin
caption        : Microsoft Windows 10 Enterprise
OSArchitecture : 64-bit
registereduser : ThmsRynr@outlook.com
version        : 10.0.14393

Whoa, now we get a list. What gives?

Well here’s how PowerShell decides, by default, whether to display a list or table:

• If showing four or fewer properties, show a table
• If showing five or more properties, show a list

That’s it, that’s how PowerShell decides by default whether to show you a list or table.

Recently, I was helping someone in a forum who was trying to figure out what kind of object their command was returning. They knew about the standard cmdlets people suggest when you’re getting started (Get-Help, Get-Member, and Get-Command), but couldn’t figure out what was coming back from a specific command.

In order to make this a more generic example, and to simplify it, let’s approach this differently. Say I have these two objects where one is a string and the other is an array of two strings.

PS> $thing1 = 'This is an item'
PS> $thing2 = @('This is another item','This is one more item')
PS> $thing1; $thing2

The third line shows you what you get if you write these out to the screen.

This is an item
This is another item
This is one more item

It looks like three separate strings, right? Well we should be able to dissect these with Get-Member to get to the bottom of this and identify the types of objects these are. After all, one is a string and the other is an array, right?

PS> $thing1 | Get-Member


   TypeName: System.String

Name             MemberType            Definition
----             ----------            ----------
Clone            Method                System.Object Clone()
<output truncated>

So far, so good. $thing1 is our string, so we’d expect the TypeName to be System.String. Let’s check the array.

PS> $thing2 | Get-Member


   TypeName: System.String

Name             MemberType            Definition
----             ----------            ----------
Clone            Method                System.Object Clone()
<output truncated>

Dang, $thing2 is an array but Get-Member is still saying the TypeName is System.String. What’s going on?

Well, the key here is what we’re doing is writing the output of $thing2 into Get-Member. So the output of $thing2 is two strings, and that’s what’s actually hitting Get-Member. If we want to see what kind of object $thing2 really is, we need to use a method that’s built into every PowerShell object: GetType().

PS> $thing2.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array

There you go. $thing2 is a System.Array object, just like we thought.

Get-Member is useful for exploring objects properties and methods, as well as their type. In this case, however, it was exploring the object that was being passed to it through the pipeline.

The Pester people don’t really recommend this, but, I find it can be really helpful sometimes. What I’m talking about is dynamically creating assertions inside of a Pester test using PowerShell. While I think you should strive to follow best practices, sometimes what’s best for you isn’t always a best practice, and as long as you know what you’re doing, I think you can get away with bending the rules sometimes. Don’t tell anyone I said that.

Say you had a requirement to make sure that a function you wrote performed math, correctly. Maybe it looks like this.

function Get-Square {
    param (
        [int]$Number
    )
    $result = $Number * $Number
    $result
}

This will just get the square of the number we pass it. Your test might look like this.

describe 'Get-Square' {
    it 'squares 1' {
        Get-Square 1 | Should Be 1
    }

    it 'squares 2' {
        Get-Square 2 | Should Be 4
    }

    it 'squares 3' {
        Get-Square 3 | Should Be 9
    }
}

This would work. It would test your function correctly, and give you all the feedback you expect. There’s another way to do this, though. Check out this next example.

describe 'Get-Square' {
    $tests = @(
        @(1,1),
        @(2,4),
        @(3,9)
    )
    foreach ($test in $tests) {
        it "squares $($test[0])" {
            Get-Square $test[0] | Should Be $test[1]
        }
    }
}

This particular example gets more complicated, but shows you what I’m talking about. $tests is an array of smaller arrays where the first number is the number to be squared, and the second number is the answer we expect. Then for each test (array in $tests), I’m generating a new it assertion. Neat, right?

Yes, in this particular situation, we ignored Pester test cases, which would have worked here too. This was just a silly example to show how you might tackle this problem differently, or in a situation where test cases wouldn’t work for you.

With Windows 10, you can install Bash on Windows. Cool, right? Having Bash on Windows goes a long way towards making Windows a more developer-friendly environment and opens a ton of doors. The one I’m going to show you today is more of a novelty than anything else, but maybe you’ll find something neat to do with it.

Get-ChildItem c:\temp\demo | foreach-object { bash -c "echo $($_.Name) | awk /\.csv/" }

In my c:\temp\demo folder, I have three files, two of which are CSVs. In an attempt to be super inefficient, I am piping the files in that directory into a foreach-object loop and using Bash to tell me which ones end in .csv, using awk. This is hardly the best way to do this, but it gives you an idea of how you can start to intermingle these two shells.

There’s a few ways to get all of the shared folders on a server, but not all of them work for all versions of Windows Server. You can use the Get-SmbShare cmdlet, or you can make CIM/WMI do the work for you. I’ll show you what I prefer, though.

To use Get-SmbShare on a remote computer, you’ll create a new CIM session.

PS> New-CimSession -ComputerName $computername -Credential $creds

Id           : 1
Name         : CimSession1
InstanceId   : 110928f2
ComputerName : computername
Protocol     : WSMAN

Then you can pass that CIM session to Get-SmbShare.

PS> Get-SmbShare -CimSession $(get-cimsession -id 1)

Name     ScopeName Path                              Description     PSComputerName
----     --------- ----                              -----------     --------------
ADMIN$   *         C:\windows                        Remote Admin    comp
C$       *         C:\                               Default share   comp
D$       *         D:\                               Default share   comp
IPC$     *                                           Remote IPC      comp
print$   *         C:\windows\system32\spool\drivers Printer Drivers comp
Profiles *         D:\Profiles                                       comp
Transfer *         C:\Shares\Transfer                                comp

But what if the server is (heaven forbid!) older than Windows Server 2012R2? Well, you’d get an error telling you “get-cimclass : The WS-Management service cannot process the request. The CIM namespace win32_share is invalid.”. That won’t do.

Well, luckily for those older servers, you can use Get-WmiObject to retrieve this information.

PS> Get-WmiObject -Class win32_share -ComputerName $oldComp -Credential $creds


Name         Path                                                  Description
----         ----                                                  -----------
ADMIN$       C:\windows                                            Remote Admin
C$           C:\                                                   Default share
D$           D:\                                                   Default share
IPC$                                                               Remote IPC