Jekyll2023-06-27T13:44:39-07:00https://thomasrayner.ca/feed.xmlThomas RaynerWriting and deploying secure codeCISSP Study Notes Chapter 18 - Disaster Recovery Planning2021-09-01T07:30:00-07:002021-09-01T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch18<p>Chapter 18 dives into security assessment and testing, and security operations like implementing recovery strategies, DR processes, and testing disaster recovery plans.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
<li><a href="/cissp-study-notes-ch15">Chapter 15: Security Assessment and Testing</a></li>
<li><a href="/cissp-study-notes-ch16">Chapter 16: Managing Security Operations</a></li>
<li><a href="/cissp-study-notes-ch17">Chapter 17: Preventing and Responding to Incidents</a></li>
</ul>
<h2 id="chapter-18---disaster-recovery-planning">Chapter 18 - Disaster Recovery Planning</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="managing-incident-response">Managing Incident Response</h4>
<ul>
<li><em>Disaster recovery plan</em> - covers situations where tensions are already high and cooler heads may not naturally prevail, should be setup to basically run on autopilot and remove all decision making.</li>
<li>Natural disasters
<ul>
<li>Earthquake - shifting of seismic plates</li>
<li>Floods - Gradual accumulation of rainwater, or caused by seismic activity (tsunamis)
<ul>
<li>“100 year flood plain” means there is an estimated chance of flooding in any give year of 1/100</li>
</ul>
</li>
<li>Storms - Prolonged periods of intense rainfall</li>
<li>Fires - including wildfires, and man-made, may be caused by carelessness, faulty electrical wiring, improper fire proteciton practices
<ul>
<li>1000 building fires in the United States every day</li>
</ul>
</li>
<li>Acts of terrorism - General business insurance may not cover against terrorism</li>
<li>Bombings/explosions - Including gases from leaks</li>
<li>Power outages - protected against by uninterruptible power supply (UPS)</li>
<li>Network, utility, and infrastructure failures
<ul>
<li>Which critical systems rely on water, sewers, natural gas, or other utilities?</li>
<li>Think about internet connectivity as a utility.</li>
<li>Do you consider people a critical business system? People rely on things like water.</li>
</ul>
</li>
<li>Hardware/software failures - Hardware components simply wear out, or suffer physical damage.</li>
<li>Strikes/picketing - human factor. If a large number of employees walk out at the same time, what would happen to your business?</li>
<li>Theft/vandalism - Insurance provides some financial protection</li>
</ul>
</li>
</ul>
<h4 id="understand-system-resilience-and-fault-tolerance">Understand System Resilience and Fault Tolerance</h4>
<ul>
<li><em>Single point of failure</em> - SPOF, any component that can cause an entire system to fail.</li>
<li><em>Fault tolerance</em> - the ability of a system to suffer a fault but continue to operate</li>
<li><em>System resilience</em> - the ability of a system to maintain an acceptable level of service during an adverse event</li>
<li>Protecting hard drives
<ul>
<li>RAID-0 - striping</li>
<li>RAID-1 - mirroring</li>
<li>RAID-5 - striping with parity</li>
<li>RAID-10 - aka RAID-1+0, or a stripe of mirrors</li>
</ul>
</li>
<li>Protecting servers
<ul>
<li><em>Failover</em> - If one server fails, another server in a cluster can take over its load</li>
<li>Load balancers detect failures and stop sending traffic to the bad server</li>
<li>Provide fault tolerance</li>
<li>Many IaaS providers offer load balancing that automatically scales resources as needed</li>
</ul>
</li>
<li>Protecting power sources
<ul>
<li><em>Uninterruptible power supply</em> - UPS, battery supplied power for a short period of time that kicks in when power is lost, while a generator starts up to provide backup power</li>
<li><em>Spike</em> - a quick instance of voltage increase</li>
<li><em>Sag</em> - a quick reduction in voltage</li>
<li><em>Surge</em> - a long instance of a spike</li>
<li><em>Brownout</em> - a long instance of a sag</li>
<li><em>Transients</em> - noise on a power line that can come from different sources</li>
<li><em>Line interactive UPS</em> - include variable voltage transformer that helps adjust to over/under voltage events</li>
</ul>
</li>
</ul>
<h4 id="trusted-recovery">Trusted Recovery</h4>
<ul>
<li><em>Trusted recovery</em> - After a failure, the system is just as secure as it was before</li>
<li><em>Fail-secure system</em> - defaults to a secure state in the event of a failure, blocking all access
<ul>
<li>Firewalls are normally fail-secure</li>
</ul>
</li>
<li><em>Fail-open system</em> - defaults to an open state, granting access
<ul>
<li>Emergency exit doors are normally fail-open to allow people to escape a hazard in an emergency</li>
</ul>
</li>
<li><em>Manual recovery</em> - After a system failure, it does not fail in a secure state and an administrator needs to perform actions to implement a secured or trusted recovery</li>
<li><em>Automated recovery</em> - The system can perform a trusted recovery to restore itself against at least one type of failure</li>
<li><em>Automated recovery without undue loss</em> - Like automated recovery but it also includes mechanisms to ensure that specific objects are protected to prevent their loss</li>
<li><em>Function recovery</em> - Automatically recover specific functions</li>
</ul>
<h4 id="quality-of-service">Quality of Service</h4>
<ul>
<li><em>Bandwidth</em> - network capacity</li>
<li><em>Latency</em> - time it takes a patcket to travel</li>
<li><em>Jitter</em> - variation in latency</li>
<li><em>Packet loss</em> - requires retransmission</li>
<li><em>Interference</em> - electrical noise, faulty equipment</li>
</ul>
<h4 id="recovery-strategy">Recovery Strategy</h4>
<ul>
<li>DR plan should be designed so first employees on the scene can immediately start recovery efforts in an organized way, even if official disaster ecovery team isn’t there yet</li>
<li>Insurance can reduce the risk of financial losses</li>
<li>Business unit and functional priorities
<ul>
<li>Must engineer DR plan to allow highest priority business units to recover first</li>
<li>Not all critical functions will be carried out in critical business units</li>
<li>Perform a business impact assessment (BIA) - Identify vulnerabilities, develop strategies to minimize risk, provide a report that describes risks. Also identify costs related to failures. Results in a prioritization task. Minimum output of BIA is a simple listing of business units in priority order.</li>
</ul>
</li>
<li>Crisis management
<ul>
<li>Individuals in business who are most likely to notice an emergency situation should be trained in DR procedures and know proper notification processes</li>
</ul>
</li>
<li>Emergency communications
<ul>
<li>Communicate internally during a disaster so employees know what is expected of them</li>
</ul>
</li>
<li>Workgroup recovery
<ul>
<li>The goal is to restore workgroups to the point that they can resume their activities in their usual work locations</li>
<li>May need separate recovery facilities for different workgroups</li>
</ul>
</li>
<li>Alternate processing sites
<ul>
<li><em>Cold site</em> - standby facility, no computing facilities preinstalled. Low cost.</li>
<li><em>Hot site</em> - backup facility that is maintained in constant working order, can have replication forced to it or backups taken from primary site to hot site. Higher cost.</li>
<li><em>Warm site</em> - between hot and cold sites, contain equipment needed to establish operation, but not the production data, may take 12 hours to become operational.</li>
<li><em>Mobile site</em> - self contained trailers or other relocated units</li>
<li><em>Service bureau</em> - company that leases computer time</li>
<li><em>Cloud computing</em> - ready-to-run images in cloud providers is usually cost-effective</li>
<li><em>Mutual assistance agreements</em> - MAA, aka reciprocal agreements are rarely implemented but would mean two organizations pledge to assist each other if there’s a disaster by sharing computing facilities. Difficult to enforce, confidentiality concerns, proximity is an issue.</li>
</ul>
</li>
<li>Database recovery
<ul>
<li><em>Electronic vaulting</em> - database backups are moved to a remote site using bult transfers. Done in batch, not realtime.</li>
<li><em>Remote journaling</em> - data transfers are performed in a more expeditious mannar, still in bulk transfer, but done in realtime.</li>
<li><em>Remote mirroring</em> - most advanced, most expensive. Live DB server is maintained at the backup site.</li>
</ul>
</li>
</ul>
<h4 id="recovery-plan-development">Recovery Plan Development</h4>
<ul>
<li>Maintain multiple types of plan documents for different audiences</li>
<li>Checklists</li>
<li>Emergency response - simple but comprehensive instructions for essential personnel to follow immediately upon recognizing that a disaster is in progress. Most important tasks first.</li>
<li>Personnel and communications - List of personnel to contact in the event of a disaster</li>
<li>Backups and offsite storage
<ul>
<li><em>Full backups</em> - complete copy</li>
<li><em>Incremental backups</em> - Files that have been modified since most recent full or incremental backup. Only files with archive bit turned on are duplicated, then those vits are turned off.</li>
<li><em>Differential backups</em> - Files that have been modified since the last full backup. Only files with archive bit turned on, but the bit is left on afterwards.</li>
<li>Difference between incremental and differential is the time needed to restored data in an emergency vs time taken to create the backups.</li>
</ul>
</li>
<li><em>Software escrow arrangement</em> - protects a company against failure of a developer to provide adequate support for products or if the developer goes out of business</li>
<li>External communications may be performed by public relations officials</li>
<li>Logistics refers the problem of moving large numbers of people, equipment, and supplies</li>
<li>Recovery is bringing business operations and processes back to a working state, while restoration involves bringing the facility and environment back to a working state. DRP should define criteria for both.</li>
</ul>
<h4 id="training-awareness-and-documentation">Training, Awareness, and Documentation</h4>
<ul>
<li>Should have these elements
<ul>
<li>Orientation training for new employees</li>
<li>Initial training on new DR roles</li>
<li>Detailed refersher training for DR team members</li>
<li>Awareness refershers for all other employees</li>
</ul>
</li>
<li>DRP should be treated as exteremely sensitive and provided to individuals on a compartmentalized, need-to-know basis</li>
</ul>
<h4 id="testing-and-maintenance">Testing and Maintenance</h4>
<ul>
<li><em>Read through test</em> - Distribute copies of DR plans and review them</li>
<li><em>Structured walk through</em> - Table-top exercise with the members of the DR team gather, basically role-playing</li>
<li><em>Simulation test</em> - Team members are presented with a scenario and asked to develop a response</li>
<li><em>Parallel test</em> - Relocating personnel to alternate recovery site and implementing site activation procedures</li>
<li><em>Full-interruption test</em> - Actually shut down the primary site and shift them to the backup site</li>
<li>DR plans are living documents and need maintenance. They should refer to the organization’s business continuity plan as a template.</li>
</ul>thmsrynrChapter 18 dives into security assessment and testing, and security operations like implementing recovery strategies, DR processes, and testing disaster recovery plans.CISSP Study Notes Chapter 19 - Investigations and Ethics2021-09-01T07:30:00-07:002021-09-01T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch19<p>Chapter 19 covers how to understand, adhere to, and promote professional ethics, understanding and supporting investigations, and understanding different investigation types.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
<li><a href="/cissp-study-notes-ch15">Chapter 15: Security Assessment and Testing</a></li>
<li><a href="/cissp-study-notes-ch16">Chapter 16: Managing Security Operations</a></li>
<li><a href="/cissp-study-notes-ch17">Chapter 17: Preventing and Responding to Incidents</a></li>
<li><a href="/cissp-study-notes-ch18">Chapter 18: Disaster Recovery Planning</a></li>
</ul>
<h2 id="chapter-19---investigations-and-ethics">Chapter 19 - Investigations and Ethics</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="investigations">Investigations</h4>
<ul>
<li><em>Administrative investigations</em> - internal investigations that examine either operational issues or a violation of the organization’s policies. May transition to another type of investigation.</li>
<li><em>Root cause analysis</em> - determine the reason that something occured.</li>
<li><em>Criminal investigations</em> - conducted by law enforcmenet, related to alleged violation of criminal law. Must meet “beyond a reasonable doubt” standard which states there are no other logical conclusions.</li>
<li><em>Civil investigations</em> - do not involve law enforcement, but involves internal employees and outside consultants working for a legal team. Must meet the weaker “preponderance of the evidence” standard that demonstrates the outcome is more likely than not. Not as rigorous.</li>
<li><em>Regulatory investigations</em> - government agencies do these when they think there’s been a violation of administrative law. Violations of industry standards.</li>
<li>Electronic discovery
<ul>
<li><em>Information governance</em> - info is well organized</li>
<li><em>Identifification</em> - locates the information</li>
<li><em>Preservation</em> - protected against alteration or deletion</li>
<li><em>Collection</em> - gatehrs the responsive information centrally</li>
<li><em>Processing</em> - screens the collected information</li>
<li><em>Review</em> - determine what information is responsive to the event</li>
<li><em>Analysis</em> - deeper inspection</li>
<li><em>Production</em> - place info in a format that it may be shared</li>
<li><em>Presentation</em> - show info to witnesses, the court, other parties</li>
</ul>
</li>
<li><em>Admissible evidence</em> - must be relevant to determining a fact, material/related to the case, competent (obtained legally)</li>
<li>Evidence types
<ul>
<li><em>Real</em> - things that may actually be brought into a court of law, aka conclusive evidence</li>
<li><em>Documentary</em> - written items brought to court to prove a fact at hand</li>
<li><em>Testimonial</em> - testimony of a witness, can be direct evidence based on their observations, or expert opinions</li>
<li><em>Hearsay</em> - something that was told to someone outside of court - not admissible</li>
</ul>
</li>
<li><em>Best evidence rule</em> - original documents must be introduced, not copies</li>
<li><em>Parol evidence rule</em> - when an agreement between parties is put into writing, the document is assumed to contain all the terms of the agreement and that no verbal agreement may modify the written agreement</li>
<li>Chain of evidence/custody
<ul>
<li>Evidence should be labled with general description, time and date of collection, location evidence was collected from, name of collector, relevant circumstances</li>
</ul>
</li>
</ul>
<h4 id="evidence-collection-and-forensic-procedures">Evidence Collection and Forensic Procedures</h4>
<ul>
<li>Actions taken to collect should not change evidence</li>
<li>Person should be trained to access evidence</li>
<li>All activity related to evidence should be fully documented, preserved, available for review</li>
<li>Individuals are responsible for all actions taken</li>
<li>Preserve the original evidence</li>
<li><em>Network analysis</em> - when incidents take place over a network. Often difficult to reconstruct because networks are volatile, and depend on prior knowledge than an incident is underway or logs.</li>
<li><em>Software analysis</em> - reviews of applications or activity, or review of software code and log files.</li>
<li><em>Hardware/embedded device analysis</em> - includes memory, storage systems</li>
</ul>
<h4 id="investigation-process">Investigation Process</h4>
<ul>
<li><em>Rules of engagement</em> - define and guide investigative actions</li>
<li>Gathering evidence
<ul>
<li><em>Voluntary surrender</em> - given up willingly, usually when the attacker is not the owner</li>
<li><em>Subpoena</em> - or court order, the court compels someone to provide evidence, but this gives the data owner time to alter the evidence and ruin it</li>
<li><em>Search warrant</em> - used when you must have access to evidence without alerting evidence owner or other personell, the court allows you to seize evidence</li>
</ul>
</li>
<li>Deciding whether or not to involve law enforcement is challenging because incidents are more likely to become public, and the Fourth Amendment hampers government investigators in ways that private companies are not.</li>
<li>Never conduct investigations on an acutal system that was compromised. Take them offline and use backups.</li>
<li>Do not attempt to “hack back” and avenge a crime.</li>
<li>Call in expert assistance if needed.</li>
<li>Interviewing - gather information from an individual. If information is presented in court, the interview is an interrogation.</li>
<li>Attackers often try to santize log files after attacking, so to preserve evidence, logs should be centralized remotely.</li>
<li>A final report should be produced by any investigation that details the processes followed, evidence collected, and final results of investigation. Lays the foundation for escalation and legal action.</li>
</ul>
<h4 id="major-categories-of-computer-crime">Major Categories of Computer Crime</h4>
<ul>
<li><em>Computer crime</em> - violation of law that invovles a computer. Any individual who violates your security policies is an attacker.</li>
<li><em>Military and intelligence attacks</em> - restricted ifnormation from law enforcement or military and research sources</li>
<li><em>Business attacks</em> - focus on illegally obtaining confidential information. Aka corporate espionage or industrial espionage. Stealing trade secrets.</li>
<li><em>Financial attacks</em> - carried out to unlawfully obtain money or services. Ex: shoplifting, burglary.</li>
<li><em>Terrorist attacks</em> - to disrupt normal life and instill fear, as opposed to military or intelligence attack which is designed to extract secret information.</li>
<li><em>Grudge attacks</em> - to do damage to an organization or person, usualy out of resentment or to “get back at” an organization. Insider threat is big, these attacks can come from disgruntled employees.</li>
<li><em>Thrill attacks</em> - done for “the fun of it”, usually by “script kiddies”. May also be related to “hacktivism”.</li>
</ul>
<h4 id="ethics">Ethics</h4>
<ul>
<li>Rules that govern personal conduct</li>
<li>Codes of ethics are not laws, but standards for professional behavior</li>
</ul>
<blockquote>
<p>You should study and review the ISC2 Code of Ethics prior to taking your CISSP exam</p>
</blockquote>thmsrynrChapter 19 covers how to understand, adhere to, and promote professional ethics, understanding and supporting investigations, and understanding different investigation types.CISSP Study Notes Chapter 20 - Software Devlopment Security2021-09-01T07:30:00-07:002021-09-01T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch20<p>Chapter 20 talks about understanding the security in the software development lifecycle, identifying and applying security controls in development environments, assessing the effectiveness of software security, assessing security impact of acquired software, and applying secure coding guidelines and standards.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
<li><a href="/cissp-study-notes-ch15">Chapter 15: Security Assessment and Testing</a></li>
<li><a href="/cissp-study-notes-ch16">Chapter 16: Managing Security Operations</a></li>
<li><a href="/cissp-study-notes-ch17">Chapter 17: Preventing and Responding to Incidents</a></li>
<li><a href="/cissp-study-notes-ch18">Chapter 18: Disaster Recovery Planning</a></li>
<li><a href="/cissp-study-notes-ch19">Chapter 19: Investigations and Ethics</a></li>
</ul>
<h2 id="chapter-20---software-devlopment-security">Chapter 20 - Software Devlopment Security</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="software-development">Software Development</h4>
<ul>
<li>Programming languages
<ul>
<li>Binary code - what computers understand, a series of 1s and 0s called machine language.</li>
<li>High level languages like Python, C++, Ruby, R, Java, Visual Basic allow programmers to write instructions that are better approximates for human communication.</li>
<li>Compiled languages like C, Java, FORTRAN use a compiler to convert the higher level language into an executable that the computer understands.</li>
<li>Interpreted languages like Python, R, JavaScript are not compiled and run in their original versions.</li>
<li>Compiled code is generally less prone to third party manipulation, but it is easier to hide malicious code. Compiled code is neither more nor less secure than interpreted.</li>
</ul>
</li>
<li>Object oriented programming
<ul>
<li>Each object in the OOP model has methods that correspond to specific actions that can be taken on the object, and inherit methods from their parent class</li>
<li>Provides a black-box approach to abstraction</li>
<li>Message - a communication to or input of an object</li>
<li>Method - internal code that defines the actions an object performs</li>
<li>Behavior - result of an object processing a method</li>
<li>Class - collection of common methods from a set of objects that defines behavior</li>
<li>Instance - objects are instances of a class</li>
<li>Inheritance - methods from a class are passed from a parent class to a child class</li>
<li>Delegation - forwarding a request by an objec tto another object</li>
<li>Polymorphism - the characteristic of an object that allows it to respond to different behaviors to the same message or method because of external condition changes</li>
<li>Cohesion - strength of the relationship between purposes of methods within the same class</li>
<li>Coupling - level of interaction between objects</li>
</ul>
</li>
<li>Assurance - properly implementing security policy through lifecycle of the System (according to the Common Criteria in a government setting)</li>
<li>Avoiding and mitigating system failure
<ul>
<li>Input validation - when a user provides a value to be used in a program, make sure it falls within the expected parameters otherwise processing is stopped. Limit checks are when you check that a value falls within an acceptable range. Should always occur on the server side of a transaction.</li>
<li>Authentication and session management - require that users authenticate, and developers should seek to integrate apps with organizations existing authentication systems. Session tokens should exire, and cookies should only be transmitted over secure, encrypted channels.</li>
<li>Error handling - Errors should not expose sensitive internal information to attackers.</li>
<li>Logging - OWASP suggests logging these events: input validation failures, authentication attempts and failures, access control failures, tampering attempts, use of invalid or expired session tokens, exceptions raised by the OS or applications, administrative privilege usage, TLS failures, and cryptographic errors.</li>
</ul>
</li>
<li>Fail secure - high level of security</li>
<li>Fail open - allows users to bypass failed security controls</li>
<li>Software should revert to a fail-secure. This is what a Windows Blue Screen of Death does.</li>
<li>Must balance security, functionality, user-friendliness.</li>
</ul>
<h4 id="systems-development-lifecycle">Systems Development Lifecycle</h4>
<ul>
<li>Conceptual definition - creating the basic concept statement for a system. Not longer than one or two paragraphs, and is agreed on by all interested stakeholders.</li>
<li>Functional requirements determination - specific functionalities listed, devs start to think about how the parts of the system should interoperate. Think about input, behavior, output. Stakeholders must agree to this, too, and this document should be often referred to.</li>
<li>Control specifications development - continues above design and review phases. Consider access controls, how to maintain confidentiality, provide an audit trail and a detective mechanism for illegitimate activity.</li>
<li>Design review</li>
<li>Code review walk-through - developers start writing code, walk through it looking for problems.</li>
<li>User acceptance testing - actual users validate the system</li>
<li>Maintenance and change management - ensure continued operation while requirements and systems change</li>
</ul>
<h4 id="lifecycle-models">Lifecycle Models</h4>
<ul>
<li>Waterfall - Invented by Winston Royce in 1970. 7 stages, and each stage must be completed before the project moves to the next phase. Modern waterfall allows for moving backwards via “feedback loop”. The first comprehensive attempts to model the software development process.</li>
<li>Spiral - 1988 by Barry Boehm, allows for multiple iterations of a waterfall style process. System developers apply the whole waterfall process to the development of several prototypes, and return to the planning stages as demands and requirements change.</li>
<li>Agile - emphasis on needs of the customer, quickly developing new functionality. Highest priority is to satisfy the customer through early and continuous delivery, handle changing requirements, prefer short timescales, collaboration.</li>
<li>Gantt charts show interrelationships over time between projects and schedules. PERT is a project scheduling tool that relates estimated lowest possible size, most likely size, and highest possible size for each component.</li>
<li>Change and configuration management - changes should be centrally logged.
<ul>
<li>Request control - users can request modifications, managers cna conduct cost/benefit analysis, and tasks can be prioritized</li>
<li>Change control - developers try to recreate situation encountered by the user, implements an organized framework, and allows devs to test a solution before rolling it out</li>
<li>Release control - changes are reviewed and approved, includes acceptance testing</li>
<li>Configuration identification</li>
<li>Configuration control</li>
<li>Configuration status accounting</li>
<li>Configuration audit</li>
</ul>
</li>
<li>DevOps - seeks to unify software development, quality assurance, and technology operations, rather than allowing them to operate in separate silos. Aims to decrease time required to develop and deploy software changes - you might even deploy several times a day.</li>
<li>Application programming interfaces - APIs, allow websites to interact with each other by bypassing traditional webpages and interacting with the underlying service. May have authentication requirements.</li>
<li>Software testing
<ul>
<li>Reasonableness check - Ensures the values returned by software match criteria, should be done via separation of duties</li>
<li>White box testing - step trhough code line by line</li>
<li>Black box testing - from a user’s perspective</li>
<li>Gray box testing - combine white and black</li>
<li>Static testing - without running the code</li>
<li>Dynamic testing - done in a runtime environment</li>
</ul>
</li>
<li>Code repositories are a central storage point for developers to collaborate on source code.</li>
</ul>
<h4 id="establishing-databases-and-data-warehousing">Establishing Databases and Data Warehousing</h4>
<ul>
<li>Hierarchical data model - logical tree structure, a one to many model</li>
<li>Distributed data model - data stored in several databases that are logically connected</li>
<li>Relational database - each table looks like a spreadsheet with row/column structure and a one to one mapping relationship
<ul>
<li>Candidate keys - subset of attributes that can uniquely identify a record in the table</li>
<li>Primary keys - selected from candidate keys to identify data. Only one primary key per table.</li>
<li>Foreign keys - used to enforce relationships between two tables (referrential integrity), and ensure that if one table contains a foreign key, it corresponds to a primary key in another table</li>
</ul>
</li>
<li>Database transactions - discrete sets of SQL instructions that will either succeed or fail as a group.
<ul>
<li>Must be committed to the database and cannot be undone when it succeeds.</li>
<li>ACID model
<ul>
<li>Atomicity - all or nothing</li>
<li>Consistency - consistent with all the database’s rules</li>
<li>Isolation - transactions operate separately</li>
<li>Durability - once committed, they are preserved</li>
</ul>
</li>
</ul>
</li>
<li>Security for multilevel databases
<ul>
<li>These contain information with a variety of different classifications, and must verify labels assigned to owners and provide only the appropriate information</li>
<li>Concurrency - edit control is a preventitive control that states information stored in the database is always correct. Locks allow one user to make changes but deny other users access at the same time.</li>
<li>Lost updates - when different processes make updates and are unaware of each other</li>
<li>Dirty reads - reading a record from a transaction that did not successfully commit</li>
</ul>
</li>
<li>Open database connectivity - a proxy between applications and backend database drivers that give programmers greater freedom in creating solutions without having to worry about the underlying database</li>
<li>NoSQL - key/value stores that are good for high-speed applications, graph databases, and document stores.</li>
</ul>
<h4 id="storing-data-and-information">Storing Data and Information</h4>
<ul>
<li>Storage types
<ul>
<li>Primary/real memory - resources directly available to the CPU like RAM</li>
<li>Secondary storage - inexpensive, nonvolatile storage like hard drives</li>
<li>Virtual memory - simulate more primary memory via secondary storage</li>
<li>Random access storage - request conteints from any point within the media (RAM and hard drives)</li>
<li>Sequential access storage - needs to scan through the entire media, like a tape</li>
<li>Volatile storage - loses contents when power is removed (RAM)</li>
<li>Nonvolatile storage - does not depend on the presense of power</li>
</ul>
</li>
<li>Covert storage channels allow transmission of sensitive data between classification levels through the direct or indirect manipulation of shared storage media.</li>
</ul>
<h4 id="understanding-knowledge-based-systems">Understanding Knowledge Based Systems</h4>
<ul>
<li>Expert systems - embody accumulated knowledge of experts. Have a knowledge base and an inference engine. Knowledge is codified in a series of “if/then” statements.</li>
<li>Inference engines examine information int he knowledge base to arrive at a decision.</li>
<li>Machine learning
<ul>
<li>Supervised learning uses labeled data</li>
<li>Unsupervised learning uses unlabeled data</li>
</ul>
</li>
<li>Neural networks
<ul>
<li>Chains of computational units used to attempt to imitate biolgical reasoning processes of the human mind</li>
<li>Extension of machine learning</li>
<li>Aka deep learning</li>
<li>Delta rule - the ability to learn from experience</li>
</ul>
</li>
</ul>thmsrynrChapter 20 talks about understanding the security in the software development lifecycle, identifying and applying security controls in development environments, assessing the effectiveness of software security, assessing security impact of acquired software, and applying secure coding guidelines and standards.CISSP Study Notes Chapter 21 - Malicious Code and Application Attacks2021-09-01T07:30:00-07:002021-09-01T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch21<p>Chapter 21 covers the topics of assessing vulnerabilities of security designs and vulnerabilities in web based systems, as well as identifying security controls in development environments and applying secure coding guidelines.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
<li><a href="/cissp-study-notes-ch15">Chapter 15: Security Assessment and Testing</a></li>
<li><a href="/cissp-study-notes-ch16">Chapter 16: Managing Security Operations</a></li>
<li><a href="/cissp-study-notes-ch17">Chapter 17: Preventing and Responding to Incidents</a></li>
<li><a href="/cissp-study-notes-ch18">Chapter 18: Disaster Recovery Planning</a></li>
<li><a href="/cissp-study-notes-ch19">Chapter 19: Investigations and Ethics</a></li>
<li><a href="/cissp-study-notes-ch20">Chapter 20: Software Devlopment Security</a></li>
</ul>
<h2 id="chapter-21---malicious-code-and-application-attacks">Chapter 21 - Malicious Code and Application Attacks</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="malicious-code">Malicious Code</h4>
<ul>
<li>Script kiddie - malicious individual who doesn’t understand the technology behind vulnerabilities, but downloads and launches ready to use tools. Often located in countries with weak law enforcement, use malware to steal money and identities.</li>
<li>Advanced persistent threat - APT, sophisticated adversaries with advanced technical skills and financial resources. Often military units or intelligence agencies, and have access to zero day exploits.</li>
<li>Virus - two main functions, propagation and destruction
<ul>
<li>Propagation techniques
<ul>
<li>Master boot record - attack bootable media</li>
<li>File infector - ending in .exe or .com, alter code of executables</li>
<li>Macro - leverage scripting functionality of other software</li>
<li>Service injection - inject into trusted runtimes like explorer.exe</li>
</ul>
</li>
</ul>
</li>
<li>Antivirus mechanisms
<ul>
<li>Signature based detection - database of characteristics that indentify viruses</li>
<li>Eradicate virues</li>
<li>Quarantine - isolate but not remove</li>
<li>Require frequent updates</li>
<li>Heuristic - examines the behavior of software to look for bad behavior</li>
</ul>
</li>
<li>Multipartite virus - uses more than one propagation technique</li>
<li>Stealth virus - tampers witht he OS to fool antivirus into thinking everything is fine</li>
<li>Polymorphic virus - modifies their own code from system to system</li>
<li>Encrypted virus - similar to polymorphic</li>
<li>Hoax - nuisance and wasted resources</li>
<li>Logic bomb - lies dormant until triggered by one or more met conditions like time, a program launch, etc.</li>
<li>Trojan horse - software that appears benevolent but carries a malicious payload</li>
<li>Ransomware - encrypts files and demands payment in exchange for the decryption key</li>
<li>Worms - propagates themselves without requiring human intervention</li>
<li>Code red worm - summer of 2001, attached unpatched Microsoft IIS servers</li>
<li>Stuxnet - mid 2010, attached unprotected administrative shares and used zero day vulnerabilities to specifically attach systems used in the production of material for nuclear weapons</li>
<li>Spyware - monitors your actions</li>
<li>Adware - shows you advertisements</li>
<li>Zero day attack - the necessary delay between discovery of a new type of malicious code and the isuance of patches creates a window for zero day attacks</li>
</ul>
<h4 id="password-attacks">Password Attacks</h4>
<ul>
<li>Passowrd guessing - attackers simply attempt to guess the user’s password</li>
<li>Dictionary attacks - tools like John the Ripper take a list of possible passowrds and run an encryption function against them to see which one matches an encrypted password</li>
<li>Rainbow table - pre-calculated list of known plaintext and its encrypted value, used to decrease time taken to do dictionary attacks</li>
<li>Social engineering
<ul>
<li>Tricking a user into sharing sensitive information like their password</li>
<li>Spear phishing - specifically targetted at an individual</li>
<li>Whaling - subset of spear phishing sent to high value targets</li>
<li>Vishing - phishing over voice communications</li>
<li>Dumpster diving - attackers go through trash to look for sensitive informati9on</li>
</ul>
</li>
<li>Users should choose strong passwords and keep them a secret</li>
</ul>
<h4 id="application-attacks">Application Attacks</h4>
<ul>
<li>Buffer overflows - devs don’t properly validate user input, and input that is too large can overflow a data structure to affect other data stored in memory.</li>
<li>Time of check/time of use - timing vulnerability where a program checks access permissions to far in advance of a resource request</li>
<li>Back door - undocumented sequences that allow individuals to bypass normal access restrictions</li>
</ul>
<h4 id="web-application-security">Web Application Security</h4>
<ul>
<li>Cross site scripting - XSS, when web apps contain some kind of reflected input. User input is embedded in the site and can be used to perform malicious activities.</li>
<li>Cross site request forgery - XSRF/CSRF, similar to cross site scripting, but exploit a trust relationship. Exploit the trust a remote site has in a user’s system to execute commands on the user’s behalf, often when users are logged into multiple websites at the same time in one browser window.</li>
<li>SQL injection - poorly santitized input contains SQL commands which are executed. Combat by using prepared statements, validating user input, and limiting account privileges.</li>
</ul>
<h4 id="reconnaissance-attacks">Reconnaissance Attacks</h4>
<ul>
<li>Reconnaissance - Attackers find weak points in targets to attack.</li>
<li>IP probes - automated tools that attempt to ping addresses in a range.</li>
<li>Port scans - probe all the active systems on a network and determine what services are running on each machine.</li>
<li>Vulnerability scans - discovery specific vulnerabilities in a system.</li>
</ul>
<h4 id="masquerading-attacks">Masquerading Attacks</h4>
<ul>
<li>Impersonation of someone who does not have the appropriate access permissions.</li>
<li>IP spoofing - an attacker reconfigures their system to make it look like they haev an IP address of a trusted system.</li>
<li>Session hijacking - an attacker intercepts part of the commmunication between an authorized user and a resource, and then uses a hijacking technique to take it over and assume the identity of the authorized user.</li>
</ul>thmsrynrChapter 21 covers the topics of assessing vulnerabilities of security designs and vulnerabilities in web based systems, as well as identifying security controls in development environments and applying secure coding guidelines.CISSP Study Notes Chapter 17 - Preventing and Responding to Incidents2020-12-02T07:30:00-08:002020-12-02T07:30:00-08:00https://thomasrayner.ca/cissp-study-notes-ch17<p>Chapter 17 goes over conducting logging and monitoring activities, conducting incident management, and operating and maintaining detective and preventative measures.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
<li><a href="/cissp-study-notes-ch15">Chapter 15: Security Assessment and Testing</a></li>
<li><a href="/cissp-study-notes-ch16">Chapter 16: Managing Security Operations</a></li>
</ul>
<h2 id="chapter-17---preventing-and-responding-to-incidents">Chapter 17 - Preventing and Responding to Incidents</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="managing-incident-response">Managing Incident Response</h4>
<ul>
<li>Defining an incident
<ul>
<li>Any event that has a negative effect ont he confidentiality, integrity or availability of an organization’s assets</li>
<li>ITIL says it’s any unplanned interruption</li>
<li>A computer secuirty incident is a result of an attack, or the result of malicious or itentional actions on the part of users</li>
<li>NIST 800-61</li>
</ul>
</li>
<li>Incident response steps
<ul>
<li>Incident response is an ongoing activity</li>
<li>Does not include a counterattack
<ul>
<li>Usually illegal, often results in escalation</li>
</ul>
</li>
</ul>
</li>
<li>Detection
<ul>
<li>Must be able to quickly identify false alarms and user errors</li>
</ul>
</li>
<li>Response
<ul>
<li>Computer incident response team (CIRT)</li>
<li>Activate the team during a major security incident, but not for minor incidents</li>
<li>Computers should not be turned off when containing an incident
<ul>
<li>Important for forensics</li>
</ul>
</li>
</ul>
</li>
<li>Mitigation
<ul>
<li>Contain an incident</li>
<li>Limit the effect or scope of an incident</li>
<li>Address it without worrying about it spreading</li>
</ul>
</li>
<li>Reporting
<ul>
<li>Within the org and to groups outside the org</li>
<li>Beware of legal requirementse</li>
<li>If a data breach exposes PII, the organization must report it</li>
<li>Consider reporting the incident to official agencies, they might be able to help</li>
</ul>
</li>
<li>Recovery
<ul>
<li>Recover the syustem or return it to a fully functioning state</li>
<li>Restoring data</li>
<li>Ensure it is configured properly and is at least as secure as it was before the incident</li>
<li>Configuration management and chanage management programs are important here</li>
</ul>
</li>
<li>Remediation
<ul>
<li>Attempt to identify what allowed it to occur, implement methods to prevent it from happening again</li>
<li>Root cause analysis</li>
</ul>
</li>
<li>Lessons learned
<ul>
<li>Examine the incident and the response to see if there are any lessons to be learned</li>
<li>Improve the response</li>
<li>Output of this stage can be fed back to the detection stage</li>
<li>Create a report</li>
</ul>
</li>
</ul>
<h4 id="implementing-detective-and-preventive-measures">Implementing Detective and Preventive Measures</h4>
<ul>
<li>Basic preventive measures
<ul>
<li>Keep systems and applications up to date</li>
<li>Remove or disable unneeded services and protocols</li>
<li>Use intrusion detection and prevention syustems</li>
<li>Use up to date anti-malware software</li>
<li>Use firewalls</li>
<li>Implement configuraiton and system management processes</li>
</ul>
</li>
</ul>
<h4 id="understanding-attacks">Understanding Attacks</h4>
<ul>
<li>Botnets
<ul>
<li>Bot herder
<ul>
<li>A criminal who controls computers in the botnet via one or more command and control servers</li>
</ul>
</li>
<li>Defense in depth</li>
<li>Educating users</li>
</ul>
</li>
<li>Denial of service attacks
<ul>
<li>DoS attacks</li>
<li>Prevent a system from processing or responding to legitimate traffic or requests for resources and objects</li>
<li>Distributed denial of service attacks occur when multiple systems attack a single system at the same time</li>
<li>Distributed reflective denial of service attack doesn’t attack the victim directly but manipulates traffic or a service so the attacks are reflected back to the victim from other sources</li>
</ul>
</li>
<li>SYN flood attack
<ul>
<li>Disrupts the standard 3 way handshake used by TCP</li>
<li>Consume available memory and processing power</li>
<li>SYN cookies can block this attack</li>
<li>Reduce the amoun tof time a server will wait for an ACK</li>
</ul>
</li>
<li>Smurf attacks
<ul>
<li>Another type of flood attack, but floods with ICMP echo packets instead of TCP SYN</li>
</ul>
</li>
<li>Fraggle attacks
<ul>
<li>Similar to smurf, but instead of ICMP, useds UDP packets over ports 7 and 19</li>
</ul>
</li>
<li>Ping flood
<ul>
<li>Floods a victim with ping requests</li>
</ul>
</li>
<li>Ping of death
<ul>
<li>Oversized ping packet</li>
<li>Buffer overflow error</li>
</ul>
</li>
<li>Teardrop
<ul>
<li>Attacker fragments traffic in a way that a system is unable to put it back together</li>
</ul>
</li>
<li>Land attacks
<ul>
<li>Attacker sends spoofed SYN packets to a victim using the victim’s IP address as botht he soure and destination IP</li>
</ul>
</li>
<li>Zero day exploit
<ul>
<li>Vulnerabilities that are unknown to others</li>
<li>The attacker is the only one aware of the vulnerability, before the vendor makes a patch</li>
<li>The gap between when the vendor releases the patch and when administrators apply it is a dangerous zone</li>
<li>Honeypots and padded cells</li>
</ul>
</li>
<li>Malicious code
<ul>
<li>Any script or program that performs an unwanted, unauthorized or unknown activity on a computer system</li>
<li>Drive by downloads
<ul>
<li>Code is installed on a user’s system without the user’s knowledge</li>
</ul>
</li>
</ul>
</li>
<li>Man in the middle attacks
<ul>
<li>MITM</li>
<li>Malicious users gain a position logically between the two endpoints</li>
<li>Copying or sniffing the traffic between parties</li>
<li>A store and forward or proxy mechanism</li>
<li>Intrusion detection systems cannot usually detect MITM or hijack attacks</li>
<li>VPNs</li>
</ul>
</li>
<li>Sabatoge
<ul>
<li>A criminal act of destruciton or disruption committed against an organization by an employee</li>
<li>Employee terminations should be handled swiftly
<ul>
<li>Account access should be disabled ASAP</li>
</ul>
</li>
</ul>
</li>
<li>Espionage
<ul>
<li>The malicious act of gathering classified information about an organization</li>
<li>Disclosing or selling ifnormation to a competitor</li>
<li>Mole/plant - an employee with a secret allegience to another organization whose goal is to steal information</li>
<li>Screen and track employees effectively</li>
</ul>
</li>
</ul>
<h4 id="intrusion-detection-and-prevention-systems">Intrusion Detection and Prevention Systems</h4>
<ul>
<li>Intrusion
<ul>
<li>Attacker can bypass security mechanisms</li>
</ul>
</li>
<li>Intrusion detection
<ul>
<li>Monitors recorded information</li>
</ul>
</li>
<li>Intrusion prevention system
<ul>
<li>IPS</li>
<li>Can take steps to stop/prevent intrusions</li>
<li>NIST 800-96</li>
</ul>
</li>
<li>Knowledge/Behavior-based detection
<ul>
<li>Knowledge based
<ul>
<li>aka signature based</li>
<li>Database of known attacks</li>
</ul>
</li>
<li>Behavior based
<ul>
<li>aka statistical/anomaly, heuristics</li>
<li>Creates a baseline of normal activities and events on a system, detects abnormal activity</li>
<li>aka an Expert System</li>
</ul>
</li>
</ul>
</li>
<li>SIEM systems
<ul>
<li>Security ifnromation and event management system</li>
<li>Advanced analytic tools</li>
<li>Passive response
<ul>
<li>Notifies administrators</li>
</ul>
</li>
<li>Active response
<ul>
<li>Can modify the environment
<ul>
<li>Modifies ACLs, addresses, disable communications over specific segments, etc.</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Host and Network based IDSs
<ul>
<li>Host based
<ul>
<li>Monitors a single computer</li>
<li>Can detect anomalies on the host that a network IDS cannot</li>
<li>Requires admin attention on each system</li>
</ul>
</li>
<li>Network based
<ul>
<li>Evaluates network activity</li>
<li>Can monitor a large network to collect data at key locations</li>
<li>Switches are often used as a preventive measure against rogue sniffers</li>
<li>Very little effect on network performance</li>
<li>Usually able to detect initation of attack, not always about the success of an attack</li>
</ul>
</li>
</ul>
</li>
<li>Intrusion prevention systems
<ul>
<li>Placed in line with traffic</li>
<li>Active IDS that is not placed in line can check the activity only after it has reached the target</li>
</ul>
</li>
</ul>
<h4 id="specific-preventive-measures">Specific Preventive Measures</h4>
<ul>
<li>Honeypot
<ul>
<li>Individual computers created as a trap for intruders</li>
<li>Honeynet, a network of honeypots</li>
<li>Do not host any data of real value</li>
<li>Opportunity to observe an attacker’s activity</li>
<li>Enticement vs entrapment
<ul>
<li>Intruder must discover it through no outward effort of the honeypot owner</li>
</ul>
</li>
<li>Psuedo flaws
<ul>
<li>False vulnerabilities</li>
</ul>
</li>
<li>Padded cells
<ul>
<li>Look and feel like an actual network but attackers are unable to perform any malicious activities</li>
<li>Offer fake data</li>
</ul>
</li>
</ul>
</li>
<li>Warning banners
<ul>
<li>Inform users and iuntruders about security policy guidelines</li>
<li>Legally bind uesrs</li>
<li>No tresassing signs</li>
</ul>
</li>
<li>Anti-malware
<ul>
<li>Signature files and heuristic capabilities must be kept up to date</li>
<li>Firewalls with content-filtering capabilities</li>
<li>Install only one anti-malware applicatoin on any system</li>
<li>Least privilege helps</li>
<li>Educating users</li>
</ul>
</li>
<li>Whitelisting and blacklisting
<ul>
<li>Should be called allowlisting and denylisting, but these are the terms CISSP uses</li>
<li>Whitelisting identifies a list of applicaitons that are authorized to run</li>
<li>Blacklisting is a list of applications that are blocked</li>
</ul>
</li>
<li>Firewalls
<ul>
<li>Filtering traffic based on IP address, port, protocols</li>
<li>Second generation firewalls add additional filtering capabilities based on application requirements</li>
<li>Next generation firewalls function as a unified threat management device and have even more filtering, like packet filtering and stateful inspection, as well as packet inspeciton</li>
</ul>
</li>
<li>Sandboxing
<ul>
<li>Prevents the application from interacting with other applciations</li>
<li>Virtualization techniques</li>
</ul>
</li>
<li>Third party security services
<ul>
<li>SaaS
<ul>
<li>Software as a service</li>
</ul>
</li>
</ul>
</li>
<li>Penetration testing
<ul>
<li>Mimics an actual attack to attempt to identify which techniques attackers cna use to circumvent security</li>
<li>NIST 800-115</li>
<li>Include a vulnerability scan/assessment</li>
<li>Attempt to exploit weaknesses</li>
<li>Determine how well a system can tolerate attack</li>
<li>Identify employees’ ability to detect and respond to attacks in real time</li>
<li>Identify additional controls that can be implemented to reduce risk</li>
<li>Pentesting risks
<ul>
<li>Some methods can cause outages</li>
<li>Should stop before doing actual damage</li>
<li>Should try to perform pentesting in a test system</li>
</ul>
</li>
<li>Must always have permission in writing with the risks spelled out</li>
<li>Black box testing
<ul>
<li>Zero knowledge</li>
</ul>
</li>
<li>White box testing
<ul>
<li>Full knowledge</li>
</ul>
</li>
<li>Gray box testing
<ul>
<li>Partial knowledge</li>
</ul>
</li>
<li>Social engineering techniques are often used</li>
<li>Must protect pentesting reports because they describe attacks against the system</li>
<li>Reports must make a recommendation</li>
<li>AKA ethical hacking</li>
</ul>
</li>
</ul>
<h4 id="logging-monitoring-and-auditing">Logging, Monitoring, and Auditing</h4>
<ul>
<li>Logging
<ul>
<li>Recording information about events to a file or database</li>
</ul>
</li>
<li>Log types
<ul>
<li>Security logs - access to resources</li>
<li>System logs - system events</li>
<li>Application logs - specific applications</li>
<li>Firewall logs</li>
<li>Proxy logs - include details such as what sites specific users visit and how much time they spend on those sites</li>
<li>Change logs
<ul>
<li>Part of a disaster recovery program</li>
</ul>
</li>
</ul>
</li>
<li>Protecting log data
<ul>
<li>Use logs to recreate events leading up to and during an incident only if the logs haven’t been modified</li>
<li>Store copies on a central system like a SIEM</li>
<li>FIPS 200</li>
</ul>
</li>
<li>Audit trails
<ul>
<li>Records created when information about events is stored in one or more databases or log files</li>
<li>Passive form of detective security control</li>
<li>Also serve as a deterrent</li>
<li>Essential as evidence in the prosecution of criminals</li>
</ul>
</li>
<li>Monitoring and accountability
<ul>
<li>Users claim an identity and must prove their identity by authenticating</li>
<li>Audit trails record their activity</li>
<li>Users who are aware that lgos are recording are less likely to try to circumvent security controls or perform unauthorized activities</li>
</ul>
</li>
<li>Monitoring
<ul>
<li>The process of reviewing logs looking for something specific</li>
<li>Continuous process</li>
<li>Log analysis
<ul>
<li>Detailed form of monitoring, logs are analyzed for trends and patterns</li>
</ul>
</li>
<li>Many orgs use a centralized application for monitoring</li>
<li>SIEMs may include a correlation engine to help combine multiple log sources into meaningful data</li>
</ul>
</li>
<li>Sampling
<ul>
<li>Extracting elements from a large collection to construct a meaningful representation of the whole</li>
</ul>
</li>
<li>Clipping levels
<ul>
<li>Predefine dthreshold for the event, ignoring events until they reach the level</li>
</ul>
</li>
<li>Keystroke monitoring
<ul>
<li>Act of recording keystrokes a user performs on a keyboard</li>
<li>Often compared to wiretapping</li>
</ul>
</li>
<li>Traffic and trend analysis
<ul>
<li>Examine the flow of packets rather than the contents</li>
</ul>
</li>
<li>Egress monitoring
<ul>
<li>Watching outgoing traffic to prevent data exfiltration</li>
</ul>
</li>
<li>Data loss prevention
<ul>
<li>Detect and block data exfiltration attempts</li>
<li>Network based scan all outgoing data</li>
<li>Endpoint based scan files stored on a system</li>
<li>Deep level examinations of data in files</li>
</ul>
</li>
<li>Steganography
<ul>
<li>The practice of embedding a message within a file</li>
</ul>
</li>
<li>Watermarking
<ul>
<li>The practice of embedding an image or pattern in paper that isn’t readily perceivable, often to thwart counterfeiting attempts</li>
</ul>
</li>
</ul>
<h4 id="auditing-to-assess-effectiveness">Auditing to Assess Effectiveness</h4>
<ul>
<li>Auditing
<ul>
<li>A methodical examination of an environment</li>
<li>Use audit logs and monitoring tools to track activity</li>
<li>Auditing - Inspection or evaluation</li>
</ul>
</li>
<li>Auditors
<ul>
<li>Test and verify that processes and procedures are in place to implement security policies or regulations</li>
</ul>
</li>
<li>Inspection audits
<ul>
<li>Clearly define and adhere to the frequence of audit reviews</li>
</ul>
</li>
<li>Access review audits
<ul>
<li>Ensure that object access and account management practices suppor the current security policy</li>
<li>Ensure that accounts are disabled and deleted in accordance with best practices and security policies</li>
<li>Typical termination process:
<ul>
<li>At least one witness is present during exit interview</li>
<li>Account access terminated during interview</li>
<li>Employee ID badges and physical credentials are collected</li>
<li>Employee escorted off premises immediately</li>
</ul>
</li>
</ul>
</li>
<li>User entitlement audits
<ul>
<li>Refers to the prvileges gratned to users</li>
<li>Enforce least privilege principle</li>
</ul>
</li>
<li>Audits of privileged groups
<ul>
<li>High level adminstrator groups</li>
<li>Dual administrator accounts
<ul>
<li>Separation of privileges (normal account and a privileged account)</li>
</ul>
</li>
</ul>
</li>
<li>Security audits and reviews
<ul>
<li>Patch management - patches are evaluated ASAP, properly deployed through a testing process</li>
<li>Vulnerability management - compliance with established guidelines, scans and assessments</li>
<li>Configuration management - Use tools to check specific configurations of systems and identify when a change has occured</li>
<li>Change management - Changes are implemented in accordance to change management policy</li>
</ul>
</li>
<li>Reporting audit results
<ul>
<li>Report needs purpose, scope and results</li>
</ul>
</li>
<li>Protecting audit results
<ul>
<li>Contain sensitive information, need a classification label</li>
<li>Sometimes create a seaprate audit report with limited data for separate distribution</li>
<li>When distributing, get signed confirmation</li>
</ul>
</li>
<li>External auditors
<ul>
<li>Some laws require this</li>
<li>Provide a level of objectivity that interal audits can’t</li>
<li>Interim reports - written or verbal given to the org about observerations that demand immediate attention</li>
</ul>
</li>
</ul>thmsrynrChapter 17 goes over conducting logging and monitoring activities, conducting incident management, and operating and maintaining detective and preventative measures.CISSP Study Notes Chapter 16 - Managing Security Operations2020-10-14T07:30:00-07:002020-10-14T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch16<p>Chapter 16 goes over securely provisioning resources, understanding and applying foundational security operations concepts, applying resource protection techniques, implementing and supporting patch and vulnerability management, understanding and participating in change management, and addressing personnel safety and security concerns.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
<li><a href="/cissp-study-notes-ch15">Chapter 15: Security Assessment and Testing</a></li>
</ul>
<h2 id="chapter-16-managing-security-operations">Chapter 16: Managing Security Operations</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="applying-security-operations-concepts">Applying Security Operations Concepts</h4>
<ul>
<li>Due care and due diligence refers to taking reasonable care to protect the assets of an organization on an ongoing basis</li>
<li>Need to know
<ul>
<li>Focuses on permissions and the ability to access information</li>
<li>Rights
<ul>
<li>Refers to the ability to take actions</li>
</ul>
</li>
<li>Grant users access only to data or resources they need to perform assigned work tasks</li>
</ul>
</li>
<li>Least privilege
<ul>
<li>Granted only the privileges necessary to perform assigned work tasks and no more</li>
<li>Entitlement
<ul>
<li>The amount of privileges granted to users</li>
</ul>
</li>
<li>Aggregation
<ul>
<li>The amount of privileges that users collect over time</li>
</ul>
</li>
<li>Transitive trust
<ul>
<li>A trust relationship between two security domains</li>
</ul>
</li>
</ul>
</li>
<li>Separation of privilege
<ul>
<li>No single person has total control</li>
<li>Collusion
<ul>
<li>An agreement by two or more persons to perform some unauthorized activities</li>
</ul>
</li>
<li>Helps reduce fraud</li>
<li>Builds on least privilege</li>
<li>Segregation of duties is specifically required by SOX</li>
</ul>
</li>
<li>Two person control
<ul>
<li>Operations that require two keys</li>
<li>Ensures peer review, reduces likelihood of fraud</li>
<li>Split knowledge is where information or privilege is divided among multiple users</li>
</ul>
</li>
<li>Job rotation
<ul>
<li>Encourages peer review, reduces fraud, enables cross training</li>
<li>Acts as both a deterrent and a detection mechanism</li>
</ul>
</li>
<li>Mandatory vacations
<ul>
<li>Peer review, helps detect fraud and collusion</li>
<li>Acts as a deterrent and a detection mechanism</li>
</ul>
</li>
</ul>
<h4 id="privileged-account-management">Privileged Account Management</h4>
<ul>
<li>Special privilege operations
<ul>
<li>Activities that require special access or elevated rights and permissions to perform</li>
<li>Sensitive job tasks</li>
</ul>
</li>
<li>Monitoring usage of special privileges, so organizations can deter employees from misusing privileges and detect actions</li>
<li>Perform access review audits</li>
</ul>
<h4 id="managing-the-information-lifecycle">Managing the Information Lifecycle</h4>
<ul>
<li>Creation/capture
<ul>
<li>Data is created by users, downloading files, etc.</li>
</ul>
</li>
<li>Classification
<ul>
<li>Should be done asap</li>
<li>Ensure that sensitive data is identified and handled appropriately based on its classification</li>
<li>Once data is classified, it can be marked and handled correctly
<ul>
<li>Easily recognize data’s value</li>
</ul>
</li>
</ul>
</li>
<li>Storage
<ul>
<li>Periodically back up</li>
<li>Encrypted</li>
<li>Physical security</li>
</ul>
</li>
<li>Usage
<ul>
<li>Any time data is in use or in transit over a network</li>
<li>Used in an unencrypted format</li>
</ul>
</li>
<li>Archive
<ul>
<li>Comply with laws/regulations regarding data retention</li>
<li>Ensure data is available</li>
</ul>
</li>
<li>Destruction/purging
<ul>
<li>NIST 800-88r1</li>
</ul>
</li>
</ul>
<h4 id="service-level-agreements">Service Level Agreements</h4>
<ul>
<li>Defines performance expectations and penalties</li>
<li>Sometimes have memorandums of understanding
<ul>
<li>and/or an interconnection security agreement</li>
<li>Two entities work together toward a common goal</li>
</ul>
</li>
<li>Can specify technical requirements</li>
</ul>
<h4 id="addressing-personnel-safety-and-security">Addressing Personnel Safety and Security</h4>
<ul>
<li>Always possible to replace equipment and data, can’t replace people</li>
<li>Human safety is <strong>ALWAYS</strong> top priority</li>
<li>Duress
<ul>
<li>A simple duress system is just a panic button that sends a distress call</li>
<li>More common when working alone</li>
<li>Code words or phrases</li>
</ul>
</li>
<li>Travel
<ul>
<li>Verify a person’s identity before opening a hotel door</li>
<li>Sensitive data is ideally not brought on the road, but if it is it needs to be encrypted</li>
<li>Malware/monitoring devices
<ul>
<li>Maintain physical control of all devices</li>
<li>Do not bring personal devices</li>
</ul>
</li>
<li>Free WiFi
<ul>
<li>Vulnerable to man in the middle attacks</li>
</ul>
</li>
</ul>
</li>
<li>Emergency management
<ul>
<li>Natural or man-made disasters</li>
<li>Locate sensitive physical assets toward the center of the building</li>
</ul>
</li>
</ul>
<h4 id="managing-virtual-assets">Managing Virtual Assets</h4>
<ul>
<li>Reduction in overall operating costs when going virtual</li>
<li>Hypervisor
<ul>
<li>Essential virtualization software</li>
</ul>
</li>
</ul>
<h4 id="managing-cloud-based-assets">Managing Cloud Based Assets</h4>
<ul>
<li>SaaS
<ul>
<li>Software as a service</li>
<li>Fully functional applications accessed via web browser, usually</li>
</ul>
</li>
<li>PaaS
<ul>
<li>Platform as a service</li>
<li>Computing platform, including hardware, an OS, and applications</li>
</ul>
</li>
<li>IaaS
<ul>
<li>Infrastructure as a service</li>
<li>Basic computing resources</li>
</ul>
</li>
<li>NIST 800-145</li>
<li>Public cloud
<ul>
<li>Available for any consumers</li>
</ul>
</li>
<li>Private cloud
<ul>
<li>Single organization</li>
</ul>
</li>
<li>Community cloud
<ul>
<li>Two or more organizations</li>
</ul>
</li>
<li>Hybrid cloud
<ul>
<li>Combination of two or more clouds</li>
</ul>
</li>
</ul>
<h4 id="media-management">Media Management</h4>
<ul>
<li>Includes any hard copy of data</li>
<li>When media is marked, handled and stored properly, it helps prevent unauthorized disclosure (loss of confidentiality), unauthorized modifications (loss of integrity), and unauthorized destruction (loss of availability)</li>
<li>Tape media
<ul>
<li>Keep at least two copies of backups</li>
<li>At least one offsite</li>
</ul>
</li>
<li>Mobile devices
<ul>
<li>MDM system monitors and manages devices, ensures they are up to date</li>
<li>Encryption protects data if phone is lost or stolen</li>
</ul>
</li>
<li>Managing media lifecycle
<ul>
<li>Once backup media has reached it’s MTTF, it should be destroyed</li>
<li>Degaussing does not remove data from an SSD</li>
</ul>
</li>
</ul>
<h4 id="managing-configuration">Managing Configuration</h4>
<ul>
<li>Baselining
<ul>
<li>Baselines are starting points</li>
<li>When systems are deployed in a secure state with a secure baseline, they are more likely to stay secure</li>
</ul>
</li>
<li>Using images for baselining
<ol>
<li>Create the image</li>
<li>Capture the image</li>
<li>Deploy the image</li>
</ol>
</li>
<li>Ensure that desired security settings are always configured correctly</li>
</ul>
<h4 id="managing-change">Managing Change</h4>
<ul>
<li>Change management
<ul>
<li>Reducing unanticipated outages by unauthorized changes</li>
<li>Primary goal is to ensure that changes do not cause outages</li>
</ul>
</li>
<li>Unauthorized changes directly affect availability</li>
<li>Security impact analysis
<ol>
<li>Request the change, identify desired changes</li>
<li>Review the change</li>
<li>Approve/reject the change</li>
<li>Test the change</li>
<li>Schedule and implement the change when it will have the least impact</li>
<li>Document the change</li>
</ol>
</li>
<li>Emergency changes can still occur, but the process still needs to document the changes</li>
<li>Versioning
<ul>
<li>Labeling or numbering system that differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine</li>
</ul>
</li>
<li>Configuration documents
<ul>
<li>Who is responsible</li>
<li>Purpose of the change</li>
<li>List all changes to the baseline</li>
</ul>
</li>
</ul>
<h4 id="managing-patches-and-reducing-vulnerabilities">Managing Patches and Reducing Vulnerabilities</h4>
<ul>
<li>Systems to manage
<ul>
<li>Any computing device with an OS</li>
<li>Network infrastructure systems</li>
<li>Embedded systems</li>
</ul>
</li>
<li>Patch management
<ul>
<li>Patch
<ul>
<li>Any type of code written to correct a bug or vulnerability or improve the performance of existing software</li>
</ul>
</li>
<li>Evaluate patches
<ul>
<li>Determine if they apply to your systems</li>
</ul>
</li>
<li>Test patches
<ul>
<li>Test on an isolated nonproduction system</li>
<li>Determine unwanted side effects</li>
</ul>
</li>
<li>Approve the patches
<ul>
<li>Change management</li>
</ul>
</li>
<li>Deploy the patches
<ul>
<li>Automated methods</li>
</ul>
</li>
<li>Verify that patches are deployed
<ul>
<li>Regularly test and audit systems</li>
</ul>
</li>
</ul>
</li>
<li>Vulnerability management
<ul>
<li>Identifying vulnerabilities, evaluating them, mitigating risks</li>
<li>Vulnerability scans
<ul>
<li>Test systems and networks for known security issues</li>
<li>Nessus by Tenable Network Security</li>
<li>Generate reports</li>
</ul>
</li>
<li>Vulnerability assessments
<ul>
<li>Scan reports from past year to determine if the organization is addressing vulnerabilities</li>
<li>“Why hasn’t this been mitigated?”</li>
<li>Part of a risk analysis or assessment</li>
</ul>
</li>
<li>Common vulnerabilities and exposures
<ul>
<li>MITRE maintains the CVE database: cve.mitre.org</li>
<li>MITRE is not an acronym, funded by US government to maintain the database</li>
</ul>
</li>
</ul>
</li>
</ul>thmsrynrChapter 16 goes over securely provisioning resources, understanding and applying foundational security operations concepts, applying resource protection techniques, implementing and supporting patch and vulnerability management, understanding and participating in change management, and addressing personnel safety and security concerns.CISSP Study Notes Chapter 15 - Security Assessment and Testing2020-10-07T07:30:00-07:002020-10-07T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch15<p>Chapter 15 is a hefty chapter which covers designing and validating assessment, test, and audit strategies, conducting security control testing, collecting security process data, and then analyzing test output, and conducting security audits.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
<li><a href="/cissp-study-notes-ch14">Chapter 14: Controlling and Monitoring Access</a></li>
</ul>
<h2 id="chapter-15-security-assessment-and-testing">Chapter 15: Security Assessment and Testing</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="security-testing">Security Testing</h4>
<ul>
<li>Security tests
<ul>
<li>Verify that a control is functioning properly</li>
</ul>
</li>
<li>Frequent automated tests supplemented by infrequent manual tests are recommended
<ul>
<li>Review the results of those tests to ensure that each test was successful</li>
</ul>
</li>
</ul>
<h4 id="security-assessments">Security Assessments</h4>
<ul>
<li>Security assessment
<ul>
<li>Comprehensive reviews of the security of a system applications, or other tested environment</li>
</ul>
</li>
<li>Information security professional performs a risk assessment</li>
<li>Assessment report addressed to management</li>
</ul>
<h4 id="security-audits">Security Audits</h4>
<ul>
<li>Security audit
<ul>
<li>Use many of the same techniques for assessments, but must be performed by independent auditors</li>
</ul>
</li>
<li>Assessments are internal use only</li>
<li>Audits are done for the purpose of demonstrating the effectiveness of controls to a third party</li>
<li>Internal audits
<ul>
<li>Intended for internal audiences</li>
</ul>
</li>
<li>External audits
<ul>
<li>Performed by outside auditing firms</li>
</ul>
</li>
<li>Third party audits
<ul>
<li>Conducted by, or on behalf of, another organization</li>
<li>Type I
<ul>
<li>Controls provided by audited organization as well as auditor opinion based on description</li>
</ul>
</li>
<li>Type II
<ul>
<li>Minimum six month period and also include an opinion from the auditor</li>
<li>Considered more reliable</li>
</ul>
</li>
</ul>
</li>
<li>Auditing standards
<ul>
<li>COBIT
<ul>
<li>Describes common requirements orgs should have in place surrounding information systems</li>
</ul>
</li>
<li>ISO 27001
<ul>
<li>A standard approach for setting up an information security management protocol</li>
<li>ISO 27002 goes into more detail</li>
</ul>
</li>
</ul>
</li>
</ul>
<h4 id="describing-vulnerabilities">Describing Vulnerabilities</h4>
<ul>
<li>Common vulnerabilities and exposures (CVEs)
<ul>
<li>A naming system for vulnerabilities</li>
</ul>
</li>
<li>Common vulnerability scoring system (CVSS)
<ul>
<li>A scoring system for severity</li>
</ul>
</li>
<li>Common platform enumeration (CPE)
<ul>
<li>A naming system for configuration issues</li>
</ul>
</li>
<li>Extensible configuration checklist description format (XCCDF)
<ul>
<li>Language for security checklists</li>
</ul>
</li>
<li>Open vulnerability and assessment language (OVAL)
<ul>
<li>Language for security testing procedures</li>
</ul>
</li>
</ul>
<h4 id="vulnerability-scans">Vulnerability Scans</h4>
<blockquote>
<p>The instructor for my bootcamp told us that this is a heavily tested section, and trips up a ton of test takers</p>
</blockquote>
<ul>
<li>Vulnerability scans
<ul>
<li>Automatically probe systems</li>
</ul>
</li>
<li>Network discovery scans
<ul>
<li>NMAP - a network scanning tool</li>
<li>TCP SYN scanning
<ul>
<li>Single packets sent with the SYN flag set</li>
</ul>
</li>
<li>TCP connect scanning
<ul>
<li>Opens a full connection to the remote system</li>
</ul>
</li>
<li>TCP ACK scanning
<ul>
<li>Send a packet with ACK set, indicating it’s part of an open connection</li>
<li>Helps determine firewall rules</li>
</ul>
</li>
<li>Xmas scanning
<ul>
<li>FIN, PSH, URG flags are set on packets sent to systems</li>
</ul>
</li>
</ul>
</li>
<li>Port statuses
<ul>
<li>Open - there is an application that is actively accepting connections</li>
<li>Closed - The firewall is allowing access, but there is no application accepting connections</li>
<li>Filtered - Unable to determine if a port is open or closed because of a firewall</li>
</ul>
</li>
<li>Network vulnerability scanning
<ul>
<li>Deeper than a discovery scan</li>
<li>Tools contain databases of thousands of known vulnerabilities, and tests that can be performed to identify whether a system is susceptible to each vulnerability</li>
<li>False positives and false negatives may occur</li>
<li>By default, vulnerability scanners run unauthenticated scans</li>
</ul>
</li>
<li>TCP ports</li>
</ul>
<table>
<thead>
<tr>
<th>Service</th>
<th>Port</th>
</tr>
</thead>
<tbody>
<tr>
<td>FTP</td>
<td>20-21</td>
</tr>
<tr>
<td>SSH</td>
<td>22</td>
</tr>
<tr>
<td>Telnet</td>
<td>23</td>
</tr>
<tr>
<td>SMTP</td>
<td>25</td>
</tr>
<tr>
<td>DNS</td>
<td>53</td>
</tr>
<tr>
<td>HTTP</td>
<td>80</td>
</tr>
<tr>
<td>POP3</td>
<td>110</td>
</tr>
<tr>
<td>NTP</td>
<td>123</td>
</tr>
<tr>
<td>Windows file sharing</td>
<td>135, 137-139 (NETBIOS, WINS), 445</td>
</tr>
<tr>
<td>HTTPS</td>
<td>443</td>
</tr>
<tr>
<td>LPR/LPD</td>
<td>515</td>
</tr>
<tr>
<td>Microsoft SQL Server</td>
<td>1433/1434</td>
</tr>
<tr>
<td>Oracle</td>
<td>1521</td>
</tr>
<tr>
<td>H.323</td>
<td>1720</td>
</tr>
<tr>
<td>PPTP</td>
<td>1723</td>
</tr>
<tr>
<td>RDP</td>
<td>3389</td>
</tr>
<tr>
<td>HP JetDirect Printing</td>
<td>9100</td>
</tr>
</tbody>
</table>
<ul>
<li>Nessus, Qualys, Rapid7’s NeXpose, OpenVAS are all vulnerability scanners</li>
<li>Aircrack is used to scan wireless networks</li>
<li>Web vulnerability scanning
<ul>
<li>Structured Query Language (SQL) injection, leveraging poor input validation/sanitization</li>
<li>Web vulnerability scanners scour web applications for known vulnerabilities</li>
<li>Nessus does this, too, also Acunetix, Nikto, Wapiti, Burp Suite</li>
<li>Scan all applications when you begin performing scanning for the first time</li>
<li>Scan new applications when moving into production</li>
<li>Scan before code changes go to production</li>
<li>Scan on a recurring basis</li>
</ul>
</li>
<li>Vulnerability management workflow
<ol>
<li>Detection - Identification of a vulnerability</li>
<li>Validation - Confirm the vulnerability is not a false positive</li>
<li>Remediation - Patch, change configurations, implement a workaround</li>
</ol>
</li>
<li>Penetration testing
<ul>
<li>Actually attempting to exploit systems, not just scan them</li>
<li>Done by trained security professionals</li>
<li>Process
<ol>
<li>Planning - agree on scope, rules of engagement</li>
<li>Information gathering and discovery - tools collect information, reconnaissance</li>
<li>Vulnerability scanning - probes for system weaknesses</li>
<li>Exploitation - use automated and manual exploitation tools to defeat system security</li>
<li>Reporting - results of the penetration test, make recommendations</li>
</ol>
</li>
<li>Metaspoit is a common tool</li>
<li>Types of penetration tests
<ol>
<li>White box - attackers have detailed information about the target systems</li>
<li>Gray box - attackers have partial knowledge about target systems</li>
<li>Black box - attackers are not provided with any information
<ul>
<li>They should be done in this order</li>
</ul>
</li>
</ol>
</li>
</ul>
</li>
</ul>
<h4 id="testing-your-software">Testing Your Software</h4>
<ul>
<li>Applications often have privileged access</li>
<li>Apps often handle sensitive information</li>
<li>They often rely on databases</li>
<li>Code review
<ul>
<li>AKA peer review</li>
<li>Approval of an application’s move into production</li>
<li>Fagan inspection
<ol>
<li>Planning</li>
<li>Overview</li>
<li>Preparation</li>
<li>Inspection</li>
<li>Rework</li>
<li>Follow up</li>
</ol>
</li>
</ul>
</li>
<li>Static testing
<ul>
<li>Done without running it, but rather analyzing source code or compiled app</li>
</ul>
</li>
<li>Dynamic testing
<ul>
<li>Done in a runtime environment</li>
<li>Testers often do not have access to underlying source code</li>
<li>Synthetic transactions are scripted transactions with an application with known expected results</li>
</ul>
</li>
<li>Fuzz testing
<ul>
<li>Different types of input are given to software to test it’s limits and find previously undetected flaws</li>
<li>Mutation “dumb” fuzzing
<ul>
<li>Takes previous input values and mutates them to create fuzzed input</li>
</ul>
</li>
<li>Generational “intelligent” fuzzing
<ul>
<li>Data models used to create new fuzzed input based on understanding of data types used by the system</li>
</ul>
</li>
<li>zuff - a tool that performs fuzzing</li>
</ul>
</li>
<li>Interface testing
<ul>
<li>Different parts of a complex app that must function together are tested</li>
</ul>
</li>
<li>Misuse case testing
<ul>
<li>Enumerate the known misuse cases</li>
<li>How can software be abused?</li>
</ul>
</li>
<li>Test coverage analysis
<ul>
<li>Estimate the degree of testing conducted
<ul>
<li>Test coverage = number of use cases tested / total number of use cases</li>
</ul>
</li>
<li>Branch coverage
<ul>
<li>Has every <code class="language-plaintext highlighter-rouge">if</code> been executed under all <code class="language-plaintext highlighter-rouge">if</code> and <code class="language-plaintext highlighter-rouge">else</code> conditions?</li>
</ul>
</li>
<li>Conditional coverage
<ul>
<li>Has every logical test in the code been executed under all sets of inputs?</li>
</ul>
</li>
<li>Function coverage
<ul>
<li>Has every function in the code been called and returned results?</li>
</ul>
</li>
<li>Loop coverage
<ul>
<li>Has every loop in the code been executed under conditions that cause code execution multiple times, once, and not at all?</li>
</ul>
</li>
<li>Statement coverage
<ul>
<li>Has every line of code been executed during the test?</li>
</ul>
</li>
</ul>
</li>
<li>Website monitoring
<ul>
<li>Passive monitoring
<ul>
<li>Analyze actual network traffic</li>
<li>Real user monitoring reassembles the activity of individual users</li>
</ul>
</li>
<li>Synthetic monitoring
<ul>
<li>AKA Active monitoring</li>
<li>Performing artificial transactions</li>
</ul>
</li>
</ul>
</li>
</ul>
<h4 id="implementing-security-management-processes">Implementing Security Management Processes</h4>
<ul>
<li>Log reviews
<ul>
<li>Logging systems should use Network Time Protocol (NTP) to ensure clock synchronization</li>
<li>Periodically review logs</li>
</ul>
</li>
<li>Account management
<ul>
<li>Ensure users only retain authorized permissions and that unauthorized modifications do not occur</li>
<li>Example process
<ol>
<li>Provide a list of users with privileged access</li>
<li>Ask the privilege approval authority to provide a list of authorized users</li>
<li>Compare the two lists</li>
</ol>
</li>
<li>Lots of other checks, like terminated users</li>
<li>Check paper trails</li>
</ul>
</li>
<li>Backup verification</li>
<li>Key performance and risk indicators
<ul>
<li>Monitor key performance and risk indicators</li>
<li>Number of open vulnerabilities</li>
<li>Time to resolve vulnerabilities</li>
<li>Vulnerability/defect recurrence</li>
<li>Number of compromised accounts</li>
<li>Number of software flaws detected in pre-production scanning</li>
<li>Repeat audit findings</li>
<li>User attempts to visit known malicious sites</li>
<li>Lots more, come up with your own depending on what’s important to your org</li>
</ul>
</li>
</ul>thmsrynrChapter 15 is a hefty chapter which covers designing and validating assessment, test, and audit strategies, conducting security control testing, collecting security process data, and then analyzing test output, and conducting security audits.CISSP Study Notes Chapter 14 - Controlling and Monitoring Access2020-10-06T07:30:00-07:002020-10-06T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch14<p>Chapter 14 is about identity and access management (IAM), and discusses all kinds of different access control: role based, rule based, mandatory,discretionary, and attribute based.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
<li><a href="/cissp-study-notes-ch13">Chapter 13: Managing Identity and Authentication</a></li>
</ul>
<h2 id="chapter-14-controlling-and-monitoring-access">Chapter 14: Controlling and Monitoring Access</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="comparing-permissions-rights-and-privileges">Comparing Permissions, Rights, and Privileges</h4>
<ul>
<li>Permissions
<ul>
<li>The access granted for an object and what you can do with it</li>
</ul>
</li>
<li>Rights
<ul>
<li>The ability to take an action on an object</li>
</ul>
</li>
<li>Privileges
<ul>
<li>The combination of rights and permissions</li>
</ul>
</li>
</ul>
<h4 id="understanding-authorization-mechanisms">Understanding Authorization Mechanisms</h4>
<ul>
<li>Implicit deny
<ul>
<li>Access to an object is denied unless it has been explicitly granted</li>
</ul>
</li>
<li>Access control matrix
<ul>
<li>A table that includes subjects, objects, and assigned privileges</li>
</ul>
</li>
<li>Capability tables
<ul>
<li>Like an ACL, but focused on subjects</li>
</ul>
</li>
<li>Constrained interface
<ul>
<li>Restricted interfaces that control what users can do or see based on their privileges</li>
</ul>
</li>
<li>Content depended control
<ul>
<li>Restrict access to data based on the content within an object</li>
<li>Ex: A database view</li>
<li>“What” data is being accessed</li>
</ul>
</li>
<li>Context depended control
<ul>
<li>Require specific activity before granting access</li>
<li>Ex: Date and time bound access</li>
<li>“How” you’re accessing data</li>
</ul>
</li>
<li>Need to know
<ul>
<li>Granted access only to what you <em>need to know</em> to perform your job</li>
</ul>
</li>
<li>Least privilege
<ul>
<li>Subjects are granted only the privileges they need to perform their work tasks and job functions</li>
<li>Will also include rights to take action on a system</li>
</ul>
</li>
<li>Separation of duties and responsibilities
<ul>
<li>Sensitive functions are split into tasks performed by two or more employees</li>
</ul>
</li>
</ul>
<h4 id="defining-requirements-with-a-security-policy">Defining Requirements with a Security Policy</h4>
<ul>
<li>Security policy
<ul>
<li>A document that defines the security requirements for an organization</li>
</ul>
</li>
<li>Senior leadership approves the security policy</li>
</ul>
<h4 id="implementing-defense-in-depth">Implementing Defense in Depth</h4>
<ul>
<li>Defense in depth
<ul>
<li>Multiple layers or levels of access controls to provide layered security</li>
</ul>
</li>
<li>Key components
<ul>
<li>Security policy</li>
<li>Personnel, training</li>
<li>Combination of administrative, technical, and physical access controls</li>
</ul>
</li>
</ul>
<h4 id="summarizing-access-control-models">Summarizing Access Control Models</h4>
<ul>
<li>Discretionary access control
<ul>
<li>Every object has an owner who can grant or deny access to any other subjects</li>
</ul>
</li>
<li>Role based access control
<ul>
<li>User accounts are placed in roles and administrators assign privileges to the roles</li>
</ul>
</li>
<li>Rule based access control
<ul>
<li>Global rules apply to all subjects</li>
<li>AKA restrictions/filters</li>
</ul>
</li>
<li>Attribute based access control
<ul>
<li>Uses rules that can include multiple attributes</li>
<li>More flexible than rule based access control</li>
<li>Plain language statements</li>
</ul>
</li>
<li>Mandatory access control
<ul>
<li>Labels applied to both subjects and objects</li>
</ul>
</li>
</ul>
<h4 id="discretionary-access-control">Discretionary Access Control</h4>
<ul>
<li>Allows owner/creator/data custodia of an object to control and define access to the object</li>
<li>Using access control lists (ACLs)</li>
</ul>
<h4 id="nondiscretionary-access-control">Nondiscretionary Access Control</h4>
<ul>
<li>Administrators centrally administer access controls and can make changes that affect the entire environment</li>
</ul>
<h4 id="role-based-access-control">Role Based Access Control</h4>
<ul>
<li>AKA task-based access control</li>
<li>AKA RBAC</li>
<li>Privilege creep
<ul>
<li>Users accrue privileges over time as their roles and access needs change</li>
</ul>
</li>
<li>Administrators identify roles/groups by work function</li>
<li>Useful in dynamic environments with frequent personnel changes</li>
</ul>
<h4 id="rule-based-access-control">Rule Based Access Control</h4>
<ul>
<li>Rules, restrictions, filters determine what can and cannot occur on a system</li>
<li>Global rules apply to all subjects</li>
<li>RBAC refers to <em>ROLE</em> based access control</li>
<li>Firewalls include a set of rules within an ACL</li>
<li>Implicit deny</li>
</ul>
<h4 id="attribute-based-access-control">Attribute Based Access Control</h4>
<ul>
<li>ABAC</li>
<li>Uses policies that include multiple attributes for rules</li>
<li>Can be any characteristic of users, network, devices</li>
</ul>
<h4 id="mandatory-access-control">Mandatory Access Control</h4>
<ul>
<li>MAC</li>
<li>Uses classification labels</li>
<li>Security domain
<ul>
<li>A collection of subjects and objects that share a common security policy</li>
</ul>
</li>
<li>Often referred to as a lattice-based model</li>
<li>Compartmentalization enforces need to know principle</li>
<li>Hierarchical environment
<ul>
<li>Ordered structure from low security to medium security to high security</li>
<li>Classification labels</li>
</ul>
</li>
<li>Compartmentalized environment
<ul>
<li>No relationship between one security domain and another</li>
</ul>
</li>
<li>Hybrid environment
<ul>
<li>Combines both hierarchical and compartmentalized concepts</li>
</ul>
</li>
</ul>
<h4 id="understanding-access-control-attacks">Understanding Access Control Attacks</h4>
<ul>
<li>Risk elements
<ul>
<li>Threat
<ul>
<li>A potential occurrence that can result in an undesirable outcome</li>
</ul>
</li>
<li>Vulnerability
<ul>
<li>Any type of weakness</li>
</ul>
</li>
<li>Risk management
<ul>
<li>Attempting to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures</li>
<li>Process
<ul>
<li>Identify assets
<ul>
<li>Asset valuation - identifying the actual value of an asset so you may prioritize them</li>
</ul>
</li>
<li>Identify threats
<ul>
<li>Threat modeling - identifying, understanding and categorizing potential threats</li>
</ul>
</li>
<li>Identify vulnerabilities</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Advanced persistent threats
<ul>
<li>APTs</li>
<li>Attackers who are working together, highly motivated, skilled, and patient</li>
<li>Advanced knowledge</li>
</ul>
</li>
<li>Threat modeling approaches
<ul>
<li>Focused on assets
<ul>
<li>Identify threats to valuable assets</li>
</ul>
</li>
<li>Focused on attackers
<ul>
<li>Based on attackers goals</li>
</ul>
</li>
<li>Focused on software
<ul>
<li>Based on potential threats against software</li>
</ul>
</li>
</ul>
</li>
<li>Identifying vulnerabilities
<ul>
<li>Identifying strengths and weaknesses of different access control mechanisms</li>
</ul>
</li>
</ul>
<h4 id="common-access-control-attacks">Common Access Control Attacks</h4>
<ul>
<li>Access aggregation attacks
<ul>
<li>Collecting multiple pieces of non-sensitive information and combining them to learn sensitive information</li>
<li>Reconnaissance</li>
</ul>
</li>
<li>Password attacks
<ul>
<li>Passwords are the weakest form of authentication</li>
<li>Dictionary attack
<ul>
<li>Attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords</li>
</ul>
</li>
<li>Brute force attack
<ul>
<li>Attempt to discover passwords for accounts by systematically attempting all possible combinations of letters, numbers and symbols</li>
<li>Hybrid attack attempts a dictionary attack and then a brute force</li>
</ul>
</li>
<li>Birthday attack
<ul>
<li>Focuses on finding collisions</li>
<li>The birthday paradox states that if there are 23 people in a room, there is a 50% chance that two of them will have the same birthday (month and day only, not year)</li>
</ul>
</li>
<li>Rainbow table attack
<ul>
<li>Rainbow tables are large databases of precomputed hashes</li>
<li>Salt passwords to reduce effectiveness of rainbow tables
<ul>
<li>Salt is random bits added to a password before hashing it, stored in the same database holding the hashed password</li>
<li>Pepper is a large constant number stored elsewhere</li>
</ul>
</li>
</ul>
</li>
<li>Sniffer attacks
<ul>
<li>Capture packets sent over a network to analyze them</li>
<li>AKA snooping attack</li>
<li>Wireshark is a popular tool for this</li>
<li>Make sure you
<ul>
<li>Encrypt all sensitive data</li>
<li>Use one time passwords</li>
<li>Implement physical security</li>
<li>Monitor the network for signatures from sniffers</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Spoofing attacks
<ul>
<li>AKA masquerading</li>
<li>Pretending to be something else</li>
<li>Email spoofing
<ul>
<li>Spoofing the email address in the from field of an email</li>
<li>Phishing</li>
</ul>
</li>
<li>Phone number spoofing
<ul>
<li>Caller ID</li>
<li>VoIP</li>
</ul>
</li>
</ul>
</li>
<li>Social engineering attacks
<ul>
<li>Gaining the trust of someone using deceit to get them to betray organizational security</li>
<li>Shoulder surfing is also considered social engineering
<ul>
<li>Looking at someone’s screen while they access information</li>
<li>Use screen filters</li>
</ul>
</li>
<li>Phishing
<ul>
<li>Getting users to open an attachment, click a link, or reply with personal information</li>
<li>Drive by downloads
<ul>
<li>Malware that installs itself without the user’s knowledge when the user visits a website</li>
</ul>
</li>
<li>Spear phishing
<ul>
<li>Phishing where specific users or groups are targeted</li>
</ul>
</li>
<li>Whaling
<ul>
<li>Senior or high level executives are targeted</li>
</ul>
</li>
<li>Vishing
<ul>
<li>Phishing with a phone system or VoIP</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Smartcard attacks
<ul>
<li>Side channel attack
<ul>
<li>Passive, non-invasive attack that observes how the device functions</li>
</ul>
</li>
</ul>
</li>
</ul>
<h4 id="summary-of-protection-methods">Summary of Protection Methods</h4>
<ul>
<li>Control physical access to systems
<ul>
<li>If attackers can gain physical access to a server, they can steal it and do anything to it</li>
</ul>
</li>
<li>Control electronic access to files</li>
<li>Create a strong password policy</li>
<li>Hash and salt passwords</li>
<li>Use password masking, never display cleartext passwords</li>
<li>Deploy multifactor authentication</li>
<li>Use account lockout controls
<ul>
<li>Lock an account after the incorrect password is entered a predefined number of times</li>
<li>Implement extensive logging</li>
</ul>
</li>
<li>Use last logon notification
<ul>
<li>Display information about the last time an account was successfully logged into</li>
</ul>
</li>
<li>Educate users about security</li>
</ul>thmsrynrChapter 14 is about identity and access management (IAM), and discusses all kinds of different access control: role based, rule based, mandatory,discretionary, and attribute based.CISSP Study Notes Chapter 13 - Managing Identity and Authentication2020-10-05T07:30:00-07:002020-10-05T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch13<p>Chapter 13 is an important chapter that gets into controlling physical and logical access to assets, managing identification and authentication of people, devices and services, integrating identity as a third-party service, and managing the identity and access provisioning lifecycle.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
<li><a href="/cissp-study-notes-ch11">Chapter 11: Secure Network Architecture and Securing Network Components</a></li>
<li><a href="/cissp-study-notes-ch12">Chapter 12: Secure Communications and Network Attacks</a></li>
</ul>
<h2 id="chapter-13-managing-identity-and-authentication">Chapter 13: Managing Identity and Authentication</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="comparing-subjects-and-objects">Comparing Subjects and Objects</h4>
<ul>
<li><em>Subjects</em> are active entities that access a passive object</li>
<li><em>Objects</em> are passive entities that provide information to active subjects</li>
</ul>
<h4 id="the-cia-triad-and-access-controls">The CIA Triad and Access Controls</h4>
<ul>
<li>Confidentiality
<ul>
<li>When unauthorized entities can access systems or data, it results in a loss of confidentiality</li>
</ul>
</li>
<li>Integrity
<ul>
<li>Unauthorized changes</li>
</ul>
</li>
<li>Availability
<ul>
<li>Data should be available to users and other subjects when they are needed</li>
</ul>
</li>
</ul>
<h4 id="types-of-access-control">Types of Access Control</h4>
<ul>
<li>Access control includes the following overall steps
<ol>
<li>Identify and authenticate users or other subjects attempting to access resources</li>
<li>Determine whether the access is authorized</li>
<li>Grant or restrict access based on the subject’s identity</li>
<li>Monitor and record access attempts</li>
</ol>
</li>
<li>Preventive access control
<ul>
<li>Attempts to thwart or stop unwanted or unauthorized activity from occurring</li>
</ul>
</li>
<li>Detective access control
<ul>
<li>Attempts to discover or detect unwanted or unauthorized activity</li>
</ul>
</li>
<li>Corrective access control
<ul>
<li>Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred</li>
</ul>
</li>
<li>Deterrent access control
<ul>
<li>Discourages security policy violations</li>
</ul>
</li>
<li>Recovery access control
<ul>
<li>Repair or restore resources, functions, and capabilities after a security policy violation</li>
</ul>
</li>
<li>Directive access control
<ul>
<li>Direct, confine, or control the actions of subjects to force or encourage compliance with security policies</li>
</ul>
</li>
<li>Compensating access control
<ul>
<li>Provides an alternative when it isn’t possible to use a primary control</li>
<li>Increase the effectiveness of a primary control</li>
</ul>
</li>
<li>Administrative access control
<ul>
<li>Policies and procedures</li>
</ul>
</li>
<li>Logical/technical controls
<ul>
<li>Hardware or software mechanisms</li>
</ul>
</li>
<li>Physical controls
<ul>
<li>Items you can physically touch</li>
</ul>
</li>
</ul>
<h4 id="comparing-identification-and-authentication">Comparing Identification and Authentication</h4>
<ul>
<li>Identification
<ul>
<li>The process of a subject claiming, or professing, an identity</li>
</ul>
</li>
<li>Authentication
<ul>
<li>Verifying the identity of the subject by comparing one or more factors against a database of valid identities</li>
</ul>
</li>
<li>Registration
<ul>
<li>When a user is first given an identity</li>
</ul>
</li>
<li>Authorization
<ul>
<li>Access to objects based on proven identities</li>
<li>Indicates who is trusted to perform specific operations</li>
</ul>
</li>
<li>Accountability
<ul>
<li>Auditing is implemented</li>
<li>The process of tracking and recording subject activities within logs</li>
<li>Relies on effective identification and authentication, but does not require effective authorization</li>
</ul>
</li>
</ul>
<h4 id="authentication-factors">Authentication Factors</h4>
<ul>
<li>Type 1
<ul>
<li>Something you <em>know</em></li>
<li>Ex: password, PIN</li>
</ul>
</li>
<li>Type 2
<ul>
<li>Something you <em>have</em></li>
<li>Ex: token, phone, smartcard</li>
</ul>
</li>
<li>Type 3
<ul>
<li>Something you <em>are</em></li>
<li>Ex: Fingerprint, retina scan</li>
</ul>
</li>
<li>Context-aware authentication
<ul>
<li>Based on location, time of day, mobile device</li>
<li>May implement a geo-fence so resources are only available on some devices if the device is in a specific place</li>
<li>Detecting impossible travel</li>
</ul>
</li>
<li>Passwords
<ul>
<li>Type 1</li>
<li>A static password stays the same for a length of time</li>
<li>Weakest form of authentication</li>
<li>Creating strong passwords
<ul>
<li>Max age</li>
<li>Complexity</li>
<li>Length</li>
<li>History</li>
</ul>
</li>
<li>Passphrases are more effective
<ul>
<li>Longer strings of characters made up of multiple words</li>
</ul>
</li>
<li>NIST 800-63B suggests comparing a user’s password against a list of commonly known simple passwords and rejecting the commonly known passwords</li>
</ul>
</li>
<li>Cognitive passwords
<ul>
<li>Challenge questions</li>
<li>Ex: What is your birth date? What is the name of your first pet?</li>
<li>Answers are commonly available on the internet</li>
</ul>
</li>
<li>Smartcards
<ul>
<li>Type 2</li>
<li>Certificates are used for asymmetric crypto like encrypting data or signing email</li>
</ul>
</li>
<li>Tokens
<ul>
<li>Type 2</li>
<li>Password-generating devices</li>
<li>Synchronous dynamic passwords
<ul>
<li>Time based, synchronized with an authentication server</li>
</ul>
</li>
<li>Asynchronous dynamic passwords
<ul>
<li>Does not use a clock</li>
<li>Based on an algorithm and an incrementing counter</li>
</ul>
</li>
</ul>
</li>
<li>Biometrics
<ul>
<li>Type 3</li>
<li>Using a biometric factor instead of a username requires a one-to-many search
<ul>
<li>Capturing a single image of a person and searching a database of many people looking for a match</li>
</ul>
</li>
<li>Using a biometric factor as an authentication technique requires a one-to-one match
<ul>
<li>The user claims an identity and the biometric factor is checked to see if the person matches the claimed identity</li>
</ul>
</li>
<li>Retina scans
<ul>
<li>Pattern of blood vessels at the back of the eye</li>
<li>Most accurate</li>
</ul>
</li>
<li>Iris scan
<ul>
<li>Second-most accurate</li>
</ul>
</li>
<li>Palm scans
<ul>
<li>Measure vein patterns in the palm</li>
</ul>
</li>
<li>Hand geometry
<ul>
<li>Physical dimensions of the hand</li>
</ul>
</li>
<li>Signature dynamics
<ul>
<li>Writes a string of characters</li>
</ul>
</li>
<li>Keystroke patterns
<ul>
<li>How the subject uses a keyboard</li>
</ul>
</li>
</ul>
</li>
<li>Biometric Factor Error Ratings
<ul>
<li>False rejection rates
<ul>
<li>Type I error</li>
</ul>
</li>
<li>False acceptance rates
<ul>
<li>Type II error</li>
</ul>
</li>
<li>Crossover error rate (CER)
<ul>
<li>Where false rejection and false acceptance percentages are equal</li>
<li>Related to sensitivity of scan/detection</li>
</ul>
</li>
</ul>
</li>
<li>Biometric registration
<ul>
<li>Enrollment</li>
<li>A subject’s biometric factor is sampled and stored in a database</li>
<li>Known as a reference template/profile</li>
</ul>
</li>
</ul>
<h4 id="multifactor-authentication">Multifactor Authentication</h4>
<ul>
<li>Must use multiple types/factors such as “something you know” and “something you have”</li>
<li>Ex: Typing in a password (something you know), and then entering a synchronous dynamic password from a token (something you have)</li>
</ul>
<h4 id="device-authentication">Device Authentication</h4>
<ul>
<li>Users can register their devices</li>
<li>SecureAuth Identity provider (IdP)</li>
<li>802.1x</li>
</ul>
<h4 id="implementing-identity-management">Implementing Identity Management</h4>
<ul>
<li>Single sign on
<ul>
<li>Centralized access control</li>
<li>Allows a subject to be authenticated once on a system and to have access to multiple resources without authenticating again</li>
</ul>
</li>
<li>LDAP and centralized access control
<ul>
<li>Directory service</li>
</ul>
</li>
<li>LDAP and PKIs
<ul>
<li>LDAP and centralized access control systems can be used to support single sign on capabilities</li>
</ul>
</li>
<li>Kerberos
<ul>
<li>Key distribution center
<ul>
<li>KDC</li>
<li>Trusted third party that provides authentication services</li>
</ul>
</li>
<li>Kerberos authentication server
<ul>
<li>Authentication service verifies or rejects the authenticity and timeliness of tickets</li>
<li>KDC</li>
</ul>
</li>
<li>Ticket granting ticket
<ul>
<li>TGT</li>
<li>Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects</li>
</ul>
</li>
<li>Ticket
<ul>
<li>Encrypted message that provides proof that a subject is authorized to access an object</li>
<li>Sometimes called a Service Ticket (ST)</li>
</ul>
</li>
<li>Know these processes</li>
<li>The Kerberos login process
<ol>
<li>User types a username and password into a client</li>
<li>The client encrypts the username with AES for transmission to the KDC</li>
<li>The KDC verifies the username against a database of known credentials</li>
<li>The KDC generates a symmetric key that will be used by the client and the Kerberos server, encrypts it with a hash of the user’s password, and generates a time-stamped TGT</li>
<li>The KDC transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client</li>
<li>The client installs the TGT for use until it expires and decrypts the symmetric key using a has of the user’s password</li>
</ol>
</li>
<li>The Kerberos ticket request steps
<ol>
<li>The client sends its TGT back to the KDC with a request for access to the resource</li>
<li>The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource</li>
<li>The KDC generates a service ticket and sends it to the client</li>
<li>The client sends the ticket to the server or service hosting the resource</li>
<li>The server or service hosting the resource verifies the validity of the ticket with the KDC</li>
<li>Once identity and authorization is verified, Kerberos activity is complete, and a session is opened</li>
</ol>
</li>
</ul>
</li>
</ul>
<h4 id="federated-identity-management-and-sso">Federated Identity Management and SSO</h4>
<ul>
<li>Single sign on
<ul>
<li>AKA SSO</li>
</ul>
</li>
<li>Security Assertion Markup Language
<ul>
<li>SAML</li>
<li>An XML-based language that is commonly used to exchange authentication and authorization (AA) information between federated organizations</li>
</ul>
</li>
<li>OAuth 2.0
<ul>
<li>Open standard used for access delegation</li>
</ul>
</li>
<li>Scripted access
<ul>
<li>Automated process to transmit logon credentials at the start of a logon session</li>
</ul>
</li>
<li>Credential management system
<ul>
<li>Storage space for suers to keep their credentials when SSO isn’t available</li>
</ul>
</li>
<li>Integrating identity services
<ul>
<li>IDaaS
<ul>
<li>Identity as a service</li>
<li>A third party service that provides identity and access management</li>
</ul>
</li>
</ul>
</li>
<li>AAA Protocols
<ul>
<li>Identification</li>
<li>Authentication</li>
<li>Authorization</li>
<li>Accountability</li>
</ul>
</li>
<li>RADIUS
<ul>
<li>Remote authentication dial in service</li>
<li>Centralizes authentication for remote connections</li>
</ul>
</li>
<li>TACACS+
<ul>
<li>Terminal access control access control system</li>
<li>An alternative to RADIUS</li>
<li><code class="language-plaintext highlighter-rouge">+</code> includes moving AAA services into separate processes, encrypting authentication information</li>
<li>RADIUS only encrypts password</li>
</ul>
</li>
<li>Diameter
<ul>
<li>An enhanced version of RADIUS</li>
</ul>
</li>
</ul>
<h4 id="managing-the-identity-and-access-provisioning-lifecycle">Managing the Identity and Access Provisioning Lifecycle</h4>
<ul>
<li>Refers to the creation, management, and deletion of accounts</li>
<li>Provisioning
<ul>
<li>Creation of new accounts and provisioning them with appropriate privileges</li>
<li>Initial creation is called enrollment or registration</li>
<li>Should include a background check</li>
<li>Many organizations use automated provisioning systems</li>
</ul>
</li>
<li>Account review
<ul>
<li>Periodically ensure that security policies are being enforced</li>
<li>Check for inactive accounts</li>
<li>Excessive privilege
<ul>
<li>When users have more privileges than their assigned work tasks dictate</li>
</ul>
</li>
<li>Creeping privileges
<ul>
<li>A user account accumulating privileges over time as job roles and assigned tasks change</li>
</ul>
</li>
<li>Excessive and creeping privileges violate the principle of least privilege</li>
</ul>
</li>
<li>Account revocation
<ul>
<li>Disable user accounts as soon as possible when employees leave the organization</li>
<li>HR personnel should have the ability to perform this task</li>
</ul>
</li>
</ul>thmsrynrChapter 13 is an important chapter that gets into controlling physical and logical access to assets, managing identification and authentication of people, devices and services, integrating identity as a third-party service, and managing the identity and access provisioning lifecycle.CISSP Study Notes Chapter 11 - Secure Network Architecture and Securing Network Components2020-09-30T07:30:00-07:002020-09-30T07:30:00-07:00https://thomasrayner.ca/cissp-study-notes-ch11<p>Chapter 11 goes over a lot of networking topics including the OSI and TCP/IP models, IP networking, multilayer protocols, converged protocols, software-defined networks, wireless networks, and a whole bunch of hardware items.</p>
<p>Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:</p>
<ul>
<li>I used the PocketPrep app</li>
<li>I attended a study bootcamp</li>
<li>I did a bunch of practice tests</li>
</ul>
<p>And finally…</p>
<ul>
<li>I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.</li>
</ul>
<p><a href="https://twitter.com/mrthomasrayner">Twitter (@MrThomasRayner)</a> told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t <em>everything</em> you need to know for the test. This is just what I feel are the most important points.</p>
<blockquote>
<p>It’s important to remember that while many of these terms and phrases have different meanings in different contexts, the definitions I’m providing below are the ones that are relevant in the CISSP exam. Your own training or experience may tell you that a definition is incorrect or invalid, but if you want to get the exam questions right, you’ll have to know them as they’re defined in the books and study material.</p>
</blockquote>
<p>The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about <strong>a lot of stuff</strong>. Accordingly, these posts contain <strong>a lot of points</strong> and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on <em>every chapter</em> in its entirety.</p>
<h2 id="previous-chapters">Previous Chapters</h2>
<ul>
<li><a href="/cissp-study-notes-ch1">Chapter 1: Security Governance Through Principles and Policies</a></li>
<li><a href="/cissp-study-notes-ch2">Chapter 2: Personnel Security and Risk Management Concepts</a></li>
<li><a href="/cissp-study-notes-ch3">Chapter 3: Business Continuity Planning</a></li>
<li><a href="/cissp-study-notes-ch4">Chapter 4: Laws, Regulations, and Compliance</a></li>
<li><a href="/cissp-study-notes-ch5">Chapter 5: Protecting Security of Assets</a></li>
<li><a href="/cissp-study-notes-ch6">Chapter 6: Cryptography and Symmetric Key Algorithms</a></li>
<li><a href="/cissp-study-notes-ch7">Chapter 7: PKI and Cryptographic Applications</a></li>
<li><a href="/cissp-study-notes-ch8">Chapter 8: Principles of Security, Models, Design, and Capabilities</a></li>
<li><a href="/cissp-study-notes-ch9">Chapter 9: Security Vulnerabilities, Threats, and Countermeasures</a></li>
<li><a href="/cissp-study-notes-ch10">Chapter 10: Physical Security Requirements</a></li>
</ul>
<h2 id="chapter-11-secure-network-architecture-and-securing-network-components">Chapter 11: Secure Network Architecture and Securing Network Components</h2>
<h3 id="my-key-takeaways-and-crucial-points">My key takeaways and crucial points</h3>
<h4 id="osi-model">OSI Model</h4>
<ul>
<li>Know the different levels of the OSI model in order
<ul>
<li>Application (7)</li>
<li>Presentation</li>
<li>Session</li>
<li>Transport</li>
<li>Network</li>
<li>Data Link</li>
<li>Physical (1)</li>
<li>Come up with a pneumonic device to remember them if you have to - All People Seem To Need Data Processing, for instance</li>
</ul>
</li>
<li><em>Encapsulation/Deencapsulation</em> - The addition of a header and maybe a footer to the data received by each layer from the layer above it before it’s handed off to the layer below, and then the subsequent removal of those headers and footers and the received data flows back up the OSI model on the other end.</li>
<li>Pieces of data have different names at different points in the OSI model
<ul>
<li><em>Protocol data unit</em> - PDU. Application, presentation, session layer data units.</li>
<li><em>Segment</em> or <em>datagram</em> - Transport layer data units.</li>
<li><em>Packet</em> - Network layer.</li>
<li><em>Frame</em> - Data link layer.</li>
<li><em>Bits</em> - Physical layer.</li>
</ul>
</li>
</ul>
<h4 id="physical-layer">Physical Layer</h4>
<ul>
<li>Converts the frame into bits for transmission over the physical connection medium</li>
</ul>
<h4 id="data-link-layer">Data Link Layer</h4>
<ul>
<li>Formatting the packet from the network layer into the proper format for transmission</li>
<li>Ethernet - 802.3</li>
<li>Asynchronous Transfer Mode - ATM</li>
<li>Fiber Distributed Data Interface - FDDI</li>
<li>Address Resolution Protocol - ARP - Used to resolve IP addresses into MAC addresses</li>
<li>Layer 2 Tunneling Protocol - L2TP</li>
<li><em>Media Access Control address</em> - MAC address, 48 bit binary address that identifies a device
<ul>
<li>First 3 bytes of the address denotes the vendor or manufacturer of the physical network interface</li>
</ul>
</li>
<li>Data link layer has two sub-layers
<ul>
<li>Logical Link Control - LLC</li>
<li>MAC</li>
</ul>
</li>
</ul>
<h4 id="network-layer">Network Layer</h4>
<ul>
<li>Adding routing and addressing information to data</li>
<li>Internet Group management Protocol (IGMP) - Multicast protocol</li>
<li>The three most recognized non-IP protocols are IPX, AppleTalk, and NetBEUI</li>
<li>Routers and bridge routers function at layer 3</li>
<li>Routing protocols
<ul>
<li><em>Distance vector</em> - keep a list of destination networks along with metrics of direction and distance measured in hops</li>
<li><em>Link state</em> - keep a topography map of all connected networks and use this map to determine the shortest path to a destination network</li>
</ul>
</li>
</ul>
<h4 id="transport-layer">Transport Layer</h4>
<ul>
<li>Manages the integrity of a connection and controls the session</li>
<li>Transmission Control Protocol - TCP</li>
<li>User Datagram Protocol - UDP</li>
<li>Secure Sockets Layer - SSL</li>
<li>Transport Layer Security - TLS</li>
</ul>
<h4 id="session-layer">Session Layer</h4>
<ul>
<li>Establishes, maintains, terminates communication sessions between two computers</li>
<li>Network File System - NFS</li>
<li>Structured Query language - SQL</li>
<li>Remote Procedure Call - RPC</li>
<li>Simplex - One way communication</li>
<li>Half-Duplex - Two way communication, one direction at a time</li>
<li>Full-Duplex - Two way communication, two directions at the same time</li>
</ul>
<h4 id="presentation-layer">Presentation Layer</h4>
<ul>
<li>Transforms data from the application layer into a format that any system using the OSI model can understand</li>
<li>Images, video, sound, ASCII, JPEG, etc.</li>
</ul>
<h4 id="application-layer">Application Layer</h4>
<ul>
<li>Interfacing user applications, network services, or the OS with the protocol stack</li>
<li>The application is not located at this layer</li>
</ul>
<h4 id="tcpip-model">TCP/IP Model</h4>
<ul>
<li>AKA the DARPA or DOD model</li>
<li>Only has four layers
<ul>
<li>Application - aka Process, maps to OSI Application, Presentation, Session layers</li>
<li>Transport - aka Host-To-Host, maps to OSI Transport layer</li>
<li>Internet - aka Internetworking, maps to OSI Network layer</li>
<li>Link - aka Network Access, maps to OSI Data Link, Physical layers</li>
</ul>
</li>
<li>Can be secured using VPN - virtual private network
<ul>
<li>L2TP, SSH, SSL/TLS VPNs, IPSec</li>
<li><em>TCP wrappers</em> - Applications that can serve as a basic firewall by restricting access to ports and resources based on user IDs or system IDs</li>
</ul>
</li>
</ul>
<h4 id="transport-layer-protocols">Transport Layer Protocols</h4>
<ul>
<li>Ports 0 through 65535
<ul>
<li>Well known ports: 0 - 1023</li>
<li>Registered ports: 1024 - 49151</li>
<li>Random, dynamic, ephemeral ports: 49152 - 65535</li>
</ul>
</li>
<li><em>Transport Control Protocol</em> - TCP
<ul>
<li>Connection oriented</li>
<li>Reliable sessions</li>
<li>Handshake process
<ul>
<li>Client sends a SYN packet to server</li>
<li>Server responds with SYN/ACK to client</li>
<li>Client responds with ACK to server</li>
</ul>
</li>
<li>Uses FIN packets to terminate connections</li>
<li>Uses ACK packets to confirm that data has been received</li>
<li>Uses RST packets to forcibly close connections</li>
<li>Uses a graceful 4 packet teardown
<ul>
<li>Each side sends a FIN</li>
<li>Each side ACKs the FIN sent by the other</li>
</ul>
</li>
<li>IP protocol header field value for TCP is 6</li>
</ul>
</li>
<li><em>User Datagram Protocol</em> - UDP
<ul>
<li>Connectionless, best effort</li>
<li>Considered unreliable</li>
</ul>
</li>
</ul>
<h4 id="network-layer-protocols-and-ip-networking-basics">Network Layer Protocols and IP Networking Basics</h4>
<ul>
<li>IP provides route addressing for data packets, provides a means of identity and prescribes transmission paths</li>
<li>IPv4 vs IPv6 - v4 uses 32 bit addresses, v6 uses 128 bits</li>
<li>IP classes</li>
</ul>
<table>
<thead>
<tr>
<th>Class</th>
<th>First binary digits</th>
<th>Decimal range of first octet</th>
<th>Default subnet mask</th>
<th>CIDR equivalent</th>
</tr>
</thead>
<tbody>
<tr>
<td>A</td>
<td>0</td>
<td>1-126</td>
<td>255.0.0.0</td>
<td>/8</td>
</tr>
<tr>
<td>B</td>
<td>10</td>
<td>128-191</td>
<td>255.255.0.0</td>
<td>/16</td>
</tr>
<tr>
<td>C</td>
<td>110</td>
<td>192-223</td>
<td>255.255.255.0</td>
<td>/24</td>
</tr>
<tr>
<td>D</td>
<td>1110</td>
<td>225-239</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>E</td>
<td>1111</td>
<td>240-255</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<ul>
<li>Class A network starting with 127 is set aside for loopback address</li>
<li><em>Classless Inter-Domain Routing</em> - CIDR, represents subnet mask as a slash and the number of mask bits instead of the full dotted-decimal mask notation</li>
<li><em>Internet Message Control Protocol</em> - ICMP
<ul>
<li>Used to determine the health of a network or link</li>
<li><em>Denial of service</em> - DOS, a type of attack sometimes associated with ICMP - specifically ping of death, smurf attacks, and ping floods</li>
<li>ICMP type field values
<ul>
<li>0 - Echo reply</li>
<li>3 - Destination unreachable</li>
<li>11 - Time exceeded</li>
</ul>
</li>
</ul>
</li>
<li><em>Internet Group Management Protocol</em> - IGMP, allows systems to support multicasting</li>
<li><em>Address Resolution Protocol</em> - ARP, used to resolve IP addresses into MAC addresses
<ul>
<li>Uses caching and broadcasting</li>
</ul>
</li>
</ul>
<h4 id="common-application-layer-protocols">Common Application Layer Protocols</h4>
<ul>
<li><em>Telnet</em> - TCP port 23, terminal emulation</li>
<li><em>File Transfer Protocol</em> - FTP TCP port 20 (passive data) and 21 (control connection) for exchanging files</li>
<li><em>Trivial File Transfer Protocol</em> - TCP TFTP port 69</li>
<li><em>Simple Mail Transfer Protocol</em> - SMTP TCP port 25, for transmitting email messages
<ul>
<li>POP3, TCP port 110</li>
<li>IMAP, TCP port 143</li>
</ul>
</li>
<li><em>Dynamic Host Configuration Protocol</em> - DHCP UDP port 67 & 68, used to assign IP addresses and configuration settings to systems on bootup</li>
<li><em>Hypertext Transfer Protocol</em> - HTTP TCP port 80, used to transmit web page elements</li>
<li><em>Secure Sockets Layer</em> - SSL TCP port 443, adds a security protocol at the Transport layer to HTTP (making it HTTPS)</li>
<li><em>Line Print Daemon</em> - LPD TCP port 515, spool print jobs</li>
<li><em>X Window</em> - TCP port 6000-6063, GUI API for CLI OS</li>
<li><em>Network File System</em> - NFS TCP port 2049</li>
<li><em>Simple Network Management Protocol</em> - SNMP UDP port 161, port 162 for trap messages, network service to collect network health and status information</li>
<li>DNS port 53</li>
<li>Kerberos port 88</li>
<li>L2TP port 1701</li>
<li>PPTP port 1723</li>
<li>RDP port 3389</li>
<li>TCP/IP is considered a <em>multilayer protocol</em> because it is made up of many different protocols spread across multiple layers of the stack</li>
</ul>
<h4 id="dnp3">DNP3</h4>
<ul>
<li>Distributed Network Protocol is primarily used in electric and water utility management industries</li>
<li>Used with SCADA</li>
</ul>
<h4 id="tcpip-vulnerabilities">TCP/IP Vulnerabilities</h4>
<ul>
<li>SYN flood attacks</li>
<li>Spoofing</li>
<li>Man in the middle</li>
<li>Hijack</li>
<li><em>Packet Sniffing</em> - Capturing packets from the network in hopes of extracting useful information from the contents of the packet</li>
</ul>
<h4 id="domain-name-system-dns">Domain Name System (DNS)</h4>
<ul>
<li><em>Top level domain</em> - TLD, the <code class="language-plaintext highlighter-rouge">.ca</code> in www.thomasrayner.ca</li>
<li><em>Registered domain name</em> - The <code class="language-plaintext highlighter-rouge">thomasrayner</code> in www.thomasrayner.ca</li>
<li><em>Subdomain or hostname</em> - The <code class="language-plaintext highlighter-rouge">www</code> in www.thomasrayner.ca</li>
<li><em>Primary authoritative name server</em> - Hosts the original zone file for the domain</li>
<li><em>Secondary authoritative name server</em> - Used to host read-only copies of the zone file</li>
<li><em>Zone file</em> - Collection of <em>resource records</em> or details about the specific domain</li>
<li><em>DNSSEC</em> provides reliable authentication between devices during DNS operations</li>
<li><em>DNS Poisoning</em> - Falsifying the DNS information used by a client to reach a desired system
<ul>
<li>Involves attacking the real DNS server and placing incorrect information into its zone file</li>
</ul>
</li>
<li><em>Rogue DNS server</em> - AKA DNS Spoofing, Pharming</li>
<li><em>Pharming</em> - malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site</li>
<li><em>Domain hijacking</em> - Changing the registration of a domain name without the authorization of the valid owner</li>
</ul>
<h4 id="converged-protocols">Converged Protocols</h4>
<ul>
<li><em>Converged Protocols</em> - Merging of specialty protocols with standard protocols</li>
<li><em>Fiber Channel over Ethernet</em> - FCoE, for Storage Area Networks, or Network Attached Storage</li>
<li><em>Multiprotocol Label Switching</em> - MPLS, Directs data across a network based on short path labels rather than longer network addresses</li>
<li><em>Internet Small Computer System Interface</em> - iSCSI, Enables location independent file storage, transmission and retrieval over networks, low cost alternative to Fiber Channel</li>
<li><em>Voice over IP</em> - VoIP, Transports voice and/or data over a TCP/IP network</li>
<li><em>Software Defined Networking</em> - SDN, Complexities of a traditional network often forces an organization to stick with a single device vendor, so SDN offers a net network design that is programmable from a central location</li>
</ul>
<h4 id="content-distribution-networks">Content Distribution Networks</h4>
<ul>
<li><em>Content Distribution Networks</em> - CDNs, a collection of resource services deployed in numerous data centers across the internet in order to provide low latency, high performance, and high availability of the hosted content</li>
</ul>
<h4 id="wireless-networks">Wireless Networks</h4>
<ul>
<li><em>Data emanation</em> - Transmission of data across electromagnetic signals</li>
<li>Emanations occur whenever electrons move</li>
</ul>
<h4 id="securing-wireless-access-points">Securing Wireless Access Points</h4>
<ul>
<li><em>Wireless cells</em> - Areas within a physical environment where a wireless device can connect to an access point</li>
<li>802.11 is the IEEE standard for wireless network communications
<ul>
<li>802.11i - Security standard</li>
</ul>
</li>
<li><em>Ad hoc mode</em> - Any two wireless devices can communicate without centralized control authority
<ul>
<li><em>Infrastructure mode</em> requires a wireless access point</li>
</ul>
</li>
<li><em>Stand alone mode</em> - When there is a wireless access point connecting clients to each other but not to any wired resources</li>
<li><em>Wired extension mode</em> - When access points act as a connection point to wired networks</li>
<li><em>Service Set Identifier</em> - SSID, the name of a wireless network when a WAP is used</li>
<li><em>Channels</em> - Subdivisions of wireless frequencies</li>
</ul>
<h4 id="securing-the-ssid">Securing the SSID</h4>
<ul>
<li>SSID is broadcast by the WAP using <em>beacon frames</em></li>
<li>Hiding the SSID is not true security, because it is easily discoverable</li>
<li><em>Site survey</em> - The process of investigating the presence, strength, and reach of WAPs deployed</li>
</ul>
<h4 id="wep">WEP</h4>
<ul>
<li><em>Wired Equivalent Privacy</em> - WEP</li>
<li>Uses a predefined shared secret key</li>
<li>Key is static and shared among all WAPs and devices</li>
<li>Was cracked almost as soon as it was released</li>
<li>Uses Rivest Cipher 4 (RC4)</li>
<li>Weaknesses: static common key, and poor implementation of IVs (initiation vectors)</li>
</ul>
<h4 id="wpa">WPA</h4>
<ul>
<li><em>WiFi Protected Access</em> - WPA</li>
<li>RSN - Robust Secure Network</li>
<li>Based on LEAP and Temporal Key Integrity Protocol (TKIP)</li>
<li>Use of a single static passphrase is the downfall of WPA</li>
<li>LEAP and TKIP encryption options are now crackable</li>
</ul>
<h4 id="wpa2">WPA2</h4>
<ul>
<li>Full 802.11i implementation</li>
<li>Based on AES encryption</li>
</ul>
<h4 id="8021xeap">802.1X/EAP</h4>
<ul>
<li>Standard port-based network access control, ensures that clients cannot communicate until proper authentication has taken place</li>
<li>Uses RADIUS or TACAVS, certs, smart cards, etc.</li>
<li><em>Extensible Authentication Protocol</em> - EAP, not a specific mechanism of authentication</li>
</ul>
<h4 id="peap">PEAP</h4>
<ul>
<li>Protected Extensible Authentication Protocol</li>
<li>EAP methods within a TLS tunnel</li>
</ul>
<h4 id="leap">LEAP</h4>
<ul>
<li>Lightweight EAP</li>
<li>Cisco proprietary</li>
<li>Should be avoided when possible</li>
</ul>
<h4 id="mac-filter">MAC Filter</h4>
<ul>
<li>A list of authorized wireless client interface MAC addresses</li>
<li>Blocks access to nonauthorized devices</li>
</ul>
<h4 id="tkip">TKIP</h4>
<ul>
<li>Temporal Key Integrity Protocol</li>
<li>Improvements include key-mixing function that combines with the initialization vector with the secret root key before using RC4 to perform encryption</li>
<li>Prevents replay attacks</li>
</ul>
<h4 id="antenna-types">Antenna Types</h4>
<ul>
<li><em>Omnidirectional</em> - Can send and receive signals in all directions</li>
<li><em>Directional</em> - Can send and receive in only one direction</li>
</ul>
<h4 id="wps">WPS</h4>
<ul>
<li>WiFi Protected Setup</li>
<li>Simplifies the effort involved with adding new clients to a well secured wireless network</li>
<li>Generally recommended to leave this turned off</li>
</ul>
<h4 id="captive-portals">Captive Portals</h4>
<ul>
<li>An authentication technique that redirects a newly connected wireless client to a portal access control page</li>
</ul>
<h4 id="general-wifi-security-procedure">General WiFi Security Procedure</h4>
<ul>
<li>Treat wireless as remote access</li>
<li>Treat wireless as external access</li>
</ul>
<h4 id="wireless-attacks">Wireless Attacks</h4>
<ul>
<li><em>War driving</em> - Looking for wireless networks they aren’t authorized to access</li>
<li><em>War chalking</em> - Physically marking an area with information about the presence of a wireless network</li>
<li><em>Replay</em> - Retransmission of captured communications</li>
<li><em>IV</em> - Initialization vector, a mathematical and crypto term for a random number, becomes a point of weakness when it’s too short, exchanged in plaintext, or selected improperly</li>
<li><em>Rogue access points</em> - May be planted by an employee for convenience, or by an attacker</li>
<li><em>Evil twin</em> - When a hacker operates a false access point that will automatically clone an access point based on a client’s request to connect
<ul>
<li>Eavesdrops on the wireless signal for reconnect requests and spoofs it’s identity and offers a plaintext connection to the client</li>
</ul>
</li>
</ul>
<h4 id="secure-network-components">Secure Network Components</h4>
<ul>
<li><em>Intranet</em> - Private network, internal</li>
<li><em>Extranet</em> - Cross between internet and intranet</li>
<li><em>Demilitarized zone</em> - DMZ, extranet for public consumption</li>
<li><em>Network access control</em> - Controlling access to an environment
<ul>
<li>Prevent/reduce zero day attacks</li>
<li>Enforce security policy</li>
<li>Use identities to perform access control</li>
</ul>
</li>
<li>Firewalls filter traffic
<ul>
<li>Most effective against unrequested traffic and attempts to connect from outside the private network</li>
<li>Typically block viruses or malicious code</li>
<li>Static packet filtering firewalls filter traffic by examining message headers</li>
<li>Application gateway level firewalls are also called proxies, and are mechanisms that copy packets from one network to another</li>
<li>Circuit level gateway firewalls establish communication sessions between trusted partners</li>
<li>Stateful inspection firewalls, aka dynamic packet filtering, evaluate the state or the context of network traffic</li>
<li>Deep packet inspection firewalls filter the payload contents of a communication rather than only basing filtering on header values</li>
<li>Next gen firewalls are also composed of intrusion prevention systems, proxies, quality of service management, and more</li>
<li>Multihomed firewalls have at least two interfaces to filter traffic between two networks</li>
</ul>
</li>
</ul>
<h4 id="endpoint-security">Endpoint Security</h4>
<ul>
<li>Each individual device must maintain local security</li>
<li><em>Collision domain</em> - A group of networked systems, and two or more systems may transmit simultaneously</li>
<li><em>Broadcast domain</em> - A group of networked systems, and all members receive a broadcast signal when one member transmits it</li>
<li>Repeaters, concentrators, and amplifiers strengthen communication signals</li>
<li>Hubs are multiport repeaters</li>
<li>Modems are used for accessing the PSTN (publicly switched telephone network)</li>
<li>Bridges connect two networks together</li>
<li>Switches are intelligent hubs that know the addresses of systems connected to each outbound port
<ul>
<li>Can implement VLANs</li>
</ul>
</li>
<li>Routers control traffic flow on networks</li>
<li>Brouters are combinations of routers and bridges, and connect systems using the same protocols</li>
<li>Gateways connect networks that are using different network protocols</li>
<li>Proxies are a form of gateway that does not translate across protocols</li>
</ul>
<h4 id="cabling-wireless-topology-communications-and-transmission-media-technology">Cabling, Wireless, Topology, Communications, and Transmission Media Technology</h4>
<ul>
<li>Coaxial cable
<ul>
<li>10Base2 aka thinnet spans distances up to 185 meters and provides up to 10 Mbps</li>
<li>10Base5 aka thicknet spans up to 500 meters and provides 10 Mbps</li>
</ul>
</li>
<li>Broadband and baseband
<ul>
<li>Baseband cables can only transmit a single signal at a time</li>
<li>Broadband cables can transmit multiple signals simultaneously</li>
</ul>
</li>
<li>Twisted pair
<ul>
<li>STP (shielded)</li>
<li>UTP (unshielded)</li>
<li>Crosstalk occurs when data transmitted over one set of wires is picked up by another set of wires due to radiating electromagnetic fields produced by the electrical current</li>
<li>Cat 5 - 100 Mbps</li>
<li>Cat 6 - 1000 Mbps</li>
<li>Cat 5e is enhanced Cat 5 designed to protect against crosstalk</li>
</ul>
</li>
<li>Plenum cable is sheathed with special material that does not release toxic fumes when burned, must be used to comply with building codes</li>
</ul>
<h4 id="network-topologies">Network Topologies</h4>
<ul>
<li><em>Ring</em> - Each system is a point on a circle</li>
<li><em>Bus</em> - Trunk or backbone, linear or a tree</li>
<li><em>Star</em> - Centralized connection device</li>
<li><em>Mesh</em> - Using numerous paths to connect each system to all other systems</li>
</ul>
<h4 id="general-wireless-concepts">General Wireless Concepts</h4>
<ul>
<li>Spread spectrum means communication occurs over multiple frequencies</li>
<li>Orthogonal frequency division multiplexing
<ul>
<li>Modulated signals are perpendicular and thus do not cause interference with each other</li>
<li>Ultimately OFDM requires a smaller frequency set but offers greater data throughput</li>
</ul>
</li>
<li>Bluetooth (802.15)
<ul>
<li>Personal area network (PAN)</li>
<li>2.4 GHz frequencies</li>
<li><em>Bluejacking</em> - Allows an attacker to transmit short messages to your device</li>
<li><em>Bluesnarfing</em> - Allows hackers to connect with your devices without your knowledge</li>
<li><em>Bluebugging</em> - Remote control over the feature and functions of a Bluetooth device</li>
<li>Typically a range of 30 - 100 feet</li>
</ul>
</li>
<li>RFID
<ul>
<li>Radio frequency identification</li>
<li>Current generated in an antenna when placed in a magnetic field</li>
</ul>
</li>
<li>NFC
<ul>
<li>Near field communication</li>
<li>Derivative of RFID</li>
</ul>
</li>
<li>Mobile devices
<ul>
<li>Keep nonessential information off portable devices</li>
<li>Keep systems locked and encrypted when possible</li>
</ul>
</li>
</ul>
<h4 id="lan-technologies">LAN Technologies</h4>
<ul>
<li><em>Ethernet</em> - Shared media LAN technology
<ul>
<li>IEEE 802.3</li>
<li>Individual units of Ethernet data are called Frames</li>
</ul>
</li>
<li><em>Token Ring</em> - Token passing mechanism to control which system scan transmit data over the network medium</li>
<li><em>Fiber distributed data interface</em> - FDDI, high speed token passing technology. Copper Distributed Data Interface uses twisted pair cables.</li>
<li>Digital signals are more reliable than analog signals over long distances or when interference is present</li>
<li><em>Synchronous communications</em> - Rely on timing or clocking mechanisms</li>
<li><em>Asynchronous communications</em> - Rely on a stop and start delimiter bit</li>
<li><em>Broadcast</em> - Communication to all recipients</li>
<li><em>Multicast</em> - Communication to multiple specific recipients</li>
<li><em>Unicast</em> - Communication to one specific recipient</li>
<li><em>Carrier sense multiple access with collision avoidance</em> - CSMA
<ul>
<li>Performs collision avoidance on LAN media access technologies</li>
<li><em>CA mode</em> is used on 802.11 wireless networks and AppleTalk, attempts to avoid collisions by granting only a single permission to communicate at a time</li>
<li><em>CD mode</em> is used by Ethernet networks and responds to collisions by having each member of a collision domain wait for a short but random period of time before starting over</li>
</ul>
</li>
</ul>thmsrynrChapter 11 goes over a lot of networking topics including the OSI and TCP/IP models, IP networking, multilayer protocols, converged protocols, software-defined networks, wireless networks, and a whole bunch of hardware items.