Welcome

to Day 1
Click to edit Master title style

CISSP Crash Course

August 27th and August 28th, 2019
Sari Greene, CISSP-ISSMP, CRISC, CISM, CISA
Sari Greene - @ Certifications
Click to edit Master title style

e: [email protected] t: @sari_greene
l: https://www.linkedin.com/in/sarigreene/
w: www.sarigreenegroup.com
Polling Question – Who are you?
Click to edit Master title style
o I’ve just begun studying for the CISSP exam.
o I am in the midst of studying for the CISSP exam.
o I am almost ready to take the CISSP exam.
o I am already a CISSP.
CISSP Crash Course Objectives
Click to edit Master title style
If you have just begun studying:
• Immersion into the eight (ISC)2 common body of knowledge (CBK) security
domains.
If you are in the midst of studying:
• Assess your strengths and weaknesses and perhaps modify your study plan.
If you are almost ready to take your exam:
• Reinforce your knowledge and fill in some gaps.
If you are already a CISSP:
• Enhance your skillset.
Certification Exam Outline
Click to edit Master title style
This course is based on the April
2018 examination objectives.
• ISC2 CISSP Exam Outline available for
download at https://www.isc2.org/CISSP-Exam-
Outline
• Number in the left-hand corner of each slide in
this deck maps to a exam objective.
• Course slides are available in the “Resource
List” window.
• This course is being recorded and will be
available to you within 24-48 hours.
Comprehensive Study
Click to edit Master title style
This is a crash course and not a comprehensive
course.
• My Complete CISSP 26+hr. Video Course (2nd Edition) covers in detail
every exam objective.
• My CISSP Exam Prep 7 hr. Video Course dives extra deep into
challenging and/or unfamiliar topics.

Both are available to you on SafariBooksOnline!

Day 1 Crash Course Agenda
Click to edit Master title style
Segment 1: Domain 1 Security & Risk Management (85 minutes)
• Short break
Segment 2: Domain 2 Asset Security (30 minutes)
• Short break
Segment 3: Domain 3 Security Architecture and Engineering (85
minutes)
• Short break
Segment 4: Test Taking Strategies (10 minutes)
 DAY 1 - Segment #1
Click to edit Master title style

Domain 1:
Security and Risk Management
Examination Average Weight 15%
 Domain 1 Security & Risk Management
Click to edit Master title style
1.1 Understand and apply the concepts of 1.7 Identify, analyze, and prioritize Business
confidentiality, integrity and availability Continuity (BC) requirements
1.2 Evaluate and apply security governance principles 1.8 Contribute to and enforce personnel security
policies and procedures
1.3 Determine compliance requirements 1.9 Understand and apply risk management concepts

1.4 Understand legal and regulatory issues that 1.10 Understand and apply threat modeling concepts
pertain to information security in a global and methodologies
context
1.5 Understand, adhere to, and promote professional 1.11 Apply risk-based management concepts to the
ethics supply chain
1.6 Develop, document, and implement policies, 1.12 Establish and maintain a security awareness.
standards, procedures, and guidelines education, and training program
1.1 CIA Triad
Click to edit Master title style

Confidentiality

Information
Security

Integrity Availability
1.1 CIA Principles
Click to edit Master title style
Confidentiality is the principle that only authorized people,
processes, or systems have access to information and that
information must be protected from unauthorized disclosure.
Integrity is the principle that data and systems should be protected
from intentional, unauthorized, or accidental changes.
• Data integrity implies information is known to be good, and that the
information can be trusted as being complete, consistent, and accurate.
• System integrity implies that a system will work as it is intended to.
Availability is the principle that information and systems are
operating and accessible when needed.
1.1 5 Supporting A’s
Click to edit Master title style
Accountability Accountability is the process of tracing actions to the source. In other
word, who did what.
Authentication Authentication is the positive identification of a person or system who
is seeking access to information or to a system.
Authorization Authorization is granting users and systems a predetermined level of
access to resources.
Accounting Accounting is the logging of access and uses of information resources.

Assurance Assurance is the processes we use to develop confidence that our

security measures are working as intended.
1.1 Cybersecurity
Click to edit Master title style
Cybersecurity expands the traditional application of information
security by recognizing that we can no longer look at protecting
an organization in isolation.
• We have to recognize that every organization is part of a larger digital
ecosystem. In our connected world, what one organization does or doesn't
do has a direct impact on others.
• Cybersecurity requires that we apply a global framework to the
fundamental principles of confidentiality, integrity, and availability.
1.2 Strategic Alignment
Click to edit Master title style
It's time to bury the myth that security is an IT issue!
• Every information security decision must be informed by organizational
goals and be in alignment with strategic objectives.
• When strategically aligned, security functions as a business enabler that
adds value.
1.2 Governance and Leadership
Click to edit Master title style
As applied to information security, governance is the
responsibility of leadership to:
• Determine and articulate the organization's desired state of security.
• Provide the strategic direction, resources, funding, and support to ensure
that the desired state of security is achieved and sustained.
1.2 Frameworks & Benchmarks
Click to edit Master title style
A framework is a logical structure. The intent of a framework is
to document and organize processes.
• Information security frameworks include ISO 27000 family, NIST
Cybersecurity Framework, and the HITRUST Common Security Framework.
A benchmark is intended to help an organization identify their
capabilities and compare those efforts to similar peers or
competitors.
• The CIS (Center for Internet Security) is the most widely accepted
information security configuration benchmark.
• http://www.cisecurity.org
1.2 Due Care and Due Diligence
Click to edit Master title style
Due care is the standard of care that a prudent person would
have exercised under the same or similar conditions.
• Actions taken by an organization to protect its stakeholders, investors,
employees, and customers from harm.
Due diligence is an investigation of a business or person
generally before entering into a contract.
• It is the care and caution a reasonable person would take.
1.3 Compliance
Click to edit Master title style
Organizations are responsible for complying with all local, state,
federal and union laws and regulations.
• Consideration should be given to local customs, traditions, and practices
(cultural, tribal, and religious).

Think global, obey local. Jurisdiction is related to location of data

and systems (processing, transmission, storage).
• Privacy and security regulations (or lack of)
• Access of local governments to stored or transmitted data
• Attitudes toward “foreigners”
• Law enforcement jurisdiction
1.3 Legislative & Regulatory Compliance
Click to edit Master title style
Regulation Focus
GLBA (U.S.) Security and privacy of financial records
HIPAA (U.S.) Security and privacy of medical records
FERPA (U.S.) Security and privacy of student educational records
COPPA (U.S.) Security and privacy related to the online collection and use of data for
minors under 13
State Data breach notification requirements (50 states, District of Columbia, Guam,
Puerto Rico and the Virgin Islands)
End of life destruction/disposal requirements (31 states and Puerto Rico)
Data protection requirements including encryption (growing number)
GDPR (EU) Data protection for all individuals within the European Union. GDPR (General
Data Protection Regulations – effective May 2018 also addresses the export
of personal data outside of the EU) as well as web cookies inform and
consent requirements
1.4 Intellectual Property Law
Click to edit Master title style
Element Protection
Patents Patents are designed to protect an invention. The invention must be novel, not
obvious, and has to provide some utility. A patentable invention must be
something that can be produced.
Trademarks A trademark is intended to protect recognizable names, icons, shape, color,
sound, or any combination used to represent a brand, product, service, or
company.
Copyrights A copyright covers the expression of an idea rather than the idea itself (which
is protected by a patent).
Trade secrets Trade secrets refer to proprietary business and technical information,
processes, designs, or practices that are confidential and critical to a business.
Trade secrets don't require any registration and remain the only legal control
for IP to remain undisclosed.
1.4 Privacy
Click to edit Master title style
Privacy is the right of an individual to control the use of his
personal information.
• Personal information (PI, PII, NPPI) may include discrete information such
as a Social Security number, financial account number, password and PIN,
driver’s license number, passport number, medical record, educational
records, and biometric data.
• Personal information can also include, but is not limited to, shopping
habits, search engine queries, browsing history, email, pictures, location,
and GPS travel.
OECD Privacy Principles is the most commonly used framework
and is the foundation of global regulations.
• http://www.oecd.org
1.4 Security Incident vs. Data Breach
Click to edit Master title style
An security incident is an event or action that endangers the
confidentiality, integrity, or availability of information or
information systems.
• A data breach is when data is exfiltrated or extracted or there is a loss of
control. A data breach may trigger reporting and notification
requirements.
1.5 Professional Ethics
Click to edit Master title style
Organizational code of ethics (code of conduct).
Exercise (ISC)2 Code of Professional Ethics.
1.5 (ISC)2 Code of Ethics Canons
Click to edit Master title style
There are four mandatory canons in the Code:
• Protect society, the common good, necessary public trust and confidence,
and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principles.
• Advance and protect the profession.
1.6 Governance Communication
Click to edit Master title style
Policy
Agreement
Simple Step

Hierarchal
Guidelines
Graphic
Standard
Flow Chart

Procedure
1.6 Information Security Policies
Click to edit Master title style
The objective of a policy is to communicate management’s
expectations and requirements with the objective of providing
direction.
• Information security policies codify the high-level requirements for
protecting information and information assets and ensuring confidentiality,
integrity, and availability.
• Every component of an information security program should have a
corresponding policy and standards.
• Written information security policies may be a regulatory or contractual
compliance requirement.
1.6 Standards, Baselines and Guidelines
Click to edit Master title style
Standards serve as specifications for the implementation of
policy and dictate mandatory requirements.
• Baselines are the aggregate of standards for a specific category or
grouping such as a platform, device type, ownership, or location.
• Guidelines help people understand and conform to a standard. Guidelines
are customized to the intended audience and are not mandatory.
1.6 Procedures
Click to edit Master title style
Procedures are instructions for how a policy, standard, baseline,
or guideline is carried out in a given situation. Procedures focus
on discrete actions or steps, with a specific starting and ending
point.
Four commonly used formats:
• Simple step
• Hierarchy
• Graphic
• Flowchart
1.7 Business Continuity
Click to edit Master title style
In its simplest form, business continuity is the capability of a
business to operate in adverse conditions.
The objective of business continuity planning is to prepare for
the continued operation of essential functions and services
during disruption of normal operating conditions.
To support this objective:
• Essential services and processes are identified.
• Threat scenarios are evaluated.
• Response, recovery, and contingency plans are developed.
• Strategies, plans, and procedures are tested.
1.7 Business Impact Analysis
Click to edit Master title style
The objective of a Business Impact Analysis (BIA) is to identify
essential services, systems, and infrastructure.
• Essential means that the absence of or disruption of services would result in
significant, irrecoverable, or irreparable harm to the organization,
employees, business partners, constituents, community, or country.

A Business Impact Analysis (BIA) is used by management to:

• make investment decisions.
• prioritize resources.
• guide the development of incident response, disaster recovery, and
business contingency (continuity) plans.
1.7 Fundamental BIA Questions
Click to edit Master title style
The BIA process should answer the following questions.
• What is the organization’s essential business process?
• What is the impact of a disruption (e.g. life, property, safety, finance,
reputation)
• What are the related resources and dependencies (including single point of
failure)?
• What are the process, system, and data recovery requirements?

The outcome of BIA is a prioritized matrix of services, systems,

and infrastructure.
1.7 Business Impact Metrics
Click to edit Master title style
Abbr. Metric Definition
MTD Maximum Tolerable Downtime Maximum time a process/service can be unavailable
MTO Maximum Tolerable Outage without causing significant harm to the business
Amount of time allocated for system recovery
⁻ Must be less than the maximum amount of time
RTO Recovery Time Objective a system resource can be unavailable before
there is an unacceptable impact on other system
resources or business process
Acceptable data loss
RPO Recovery Point Objective ⁻ The point in time, prior to a disruption or system
outage that data can be recovered
1.8 Employee Lifecycle (very simplified)
Click to edit Master title style
Hiring Process

Offboarding Onboarding

Employment
1.8 User Security Controls
Click to edit Master title style
Control Description
Policy/Agreements Confidentiality Agreement, Acceptable Use Policy and Agreement (AUP)
Training Ongoing education, training, and awareness programs
Job Rotation Rotating assignments
Mandatory Vacation Requiring employees to take a set amount of vacation time

Separation of Duties Breaking a task into processes so that no one subject is in complete
Segregation of Duties control
Dual Control Requiring more than one subject or key to complete a specific task

Clean Desk Requirement to never leave confidential data (paper, monitor,

whiteboard) unattended or within view of unauthorized personnel
 Personnel Agreements
Click to edit Master title style
Agreement Objective
Confidentiality / Protect data from unauthorized disclosure
Non-disclosure (NDA) • Establish data ownership
• Protect information from disclosure
• Prevent forfeiture of patent rights
• Define handling standards including disposal
Acceptable Use Policy Set forth proper use of information systems, handling standards,
(AUP) Agreement monitoring, violation consequences, and privacy expectations
• An AUP should be written in language that can be easily and
unequivocally understood
• By signing the associated agreement, the user
acknowledges, understands, and agrees to the stated rules
and obligations
1.8 Third-Party Relationships
Click to edit Master title style
Third parties include vendors, service providers, business
partners, consultants, and contractors.
Third-party oversight activities include (but are not limited to):
• Conducting a due diligence investigation related to service provider selection
and subsequent business activities
• Conducting a risk assessment to ensure that the relationship is consistent
with the overall business strategy
• Requiring nondisclosure agreements
• Codifying service relationships
• Monitoring the service provider through appropriate audits and tests
• Coordinating incident response protocols and contractual notification
• Reviewing on a scheduled basis third-party arrangement’s performance and
adherence to contractual obligations
1.8 Third-party Agreements
Click to edit Master title style
Agreement Type Objective
Confidentiality / Non-disclosure (NDA) Protects data from unauthorized disclosure

Service Level Agreement (SLA) Codifies service and support requirements

Interconnection Security Agreement (ISA) Documents technical requirements

Memorandum of Understanding (MOU) Cooperative agreement—often a pre-contract
Also known as a MOA placeholder
Business Associate Agreement (BAA) HIPAA related agreement to protect personal
health information (PHI)
Business Partner Agreement (BPA) Business relationship contract
1.9 RiskClick to edit Master title style
Risk is defined as uncertainty of outcome, whether positive
opportunity or negative threat, of actions and events.
• Risk assessment evaluates the combination of the likelihood of occurrence,
and the adverse impact if the circumstance or event occurs.
• Risk appetite is the level of risk that an organization is comfortable with.
• Risk tolerance is acceptable variation in outcomes related to specific
performance measures.
• Risk management implies that actions are being taken to either mitigate
the impact of a undesirable or unfavorable outcome and/or enhance the
likelihood of a positive outcome (inline with the risk appetite).
1.9 Risk Assessment Approaches
Click to edit Master title style
Type Description
Qualitative Qualitative risk assessments use descriptive terminology such as high,
medium, and low or normal, elevated, and severe
Quantitative Quantitative risk assessments assign numeric and monetary values to
all elements of the assessment
Key elements of both are likelihood of occurrence and impact
1.9 Risk Assessment Workflow
Click to edit Master title style
Determine the risk Identify the inherent
Assess the impact if
assessment approach risk based on relevant
the threat source was
(quantitative, threats and related
successful
qualitative, hybrid) vulnerabilities

Assess the likelihood

Identify applicable
of occurrence, taking Determine the level
controls and their
into consideration the of residual risk
effectiveness
control environment
1.9 Quantitative Risk Assessment Elements
Click to edit Master title style
Quantitative risk assessment elements include:
• Asset value (AV) expressed in $.
• Exposure factor (EF) expressed as a %.
• Single loss expectancy (SLE) expressed in $.
• Annualized rate of occurrence (ARO) expressed as a #.
• Annualized loss expectancy (ALE) expressed in $.
1.9 Quantitative Formulas
Click to edit Master title style
Formulas Example

SLE ($) = AV ($) x EF (%) Revenue from one hour of e-commerce is $20,000 (AV).
Single Loss Expectancy = Asset Value A DDoS attack could disrupt 85% (EF) of online activity.
x Exposure Factor $20,000 (AV) * .85 (EF) = $17,000 (SLE)
The cost of an hour of DDoS disruption is $17,000
ALE ($) = SLE ($) x ARO (#) Single Loss Expectancy (for an hour of DDoS disruption)
Annualized Loss Expectancy = Single is $17,000.
Loss Expectancy x Annualized Rate of Based on the current threat and controls environment, it
Occurrence
is expected that there will be 5 hours (ARO) of DDoS
disruption per year.
$17,000 (SLE) * 5 (ARO) = $85,000 (ALE)
1.9 Risk Treatment Options
Click to edit Master title style
Option Description
Ignore Act as if the risk doesn’t exist
Avoid Eliminate the cause or terminate the associated activity
Mitigate Reduce the impact or likelihood by implementing controls or safeguards
Share Spread the risk among multiple parties
Assign the risk to another party via insurance or contractual agreement
Transfer
(subject to legal and regulatory constraints)
Accept Acknowledge the risk and monitor it
1.9 Controls, Countermeasures, and Safeguards
Click to edit Master title style
A control (sometimes called the countermeasure or safeguard) is
a tactic, mechanism, or strategy that either:
• Reduces or eliminates a vulnerability (weakness).
• Reduces or eliminates the likelihood that a threat agent will be able to
exploit a vulnerability.
• Reduces or eliminates the impact of an exploit.
1.9 Control Classifications
Click to edit Master title style
Deterrent Preventative Detective Corrective
Deterrent controls Preventative Detective controls identify Corrective controls
discourage a threat controls stop a and report a threat agent, minimize the impact of
agent from acting. threat agent from action, or incident. a threat agent, or
being successful. modify or fix a situation
(recovery).
Note: A control can (and often does) have multiple classifications depending upon context
Compensating controls are alternate controls designed to accomplish the
Compensating intent of the original controls as closely as possible, when the originally
designed controls cannot be used due to limitations of the environment or
financial constraints.
1.9 Control Implementations
Click to edit Master title style
Administrative Technical
(Management) Physical (Logical)
Controls relating to the Controls that can have a Controls provided through
Description oversight, laws, rules, and material structure (seen, the use of technology
regulations heard, touched) and/or a digital device
Policies, procedures, Gate, alarm, guard, Encryption, ACLs, firewall
Example training, audits, barricade, door, lock, rules, anti-virus software,
compliance reporting CCTV, ID card biometric authentication
1.9 Control Cross-Over Examples
Click to edit Master title style
Control Deterrent Preventative Detective Corrective
“Hardened” Activity is logged N/A
Rule-set blocks
Firewall appearance and alerts can be
certain ingress
Technical discourages configured
and egress traffic
Control opportunistic
attacks
Potential Potential Outcome: Potential
Security
Advises Outcome: Participants know Outcome:
Awareness
participants of Participants how to detect Participants know
Training
penalties and know what NOT suspicious activity how to respond
Administrative
consequences to do and how to report it to threat
Control

Door Alarm Discourages use Reacts to the door Sounds an alarm

Physical of an alarmed N/A being opened or that might scare
Control door threshold crossed off the intruder
1.10 Threat Primer
Click to edit Master title style
Term Description

Threat Potential danger

Threat Actor Adversaries with malicious intent

Vulnerability A weakness in a system, process, or person

Exploit Successfully taking advantage of a vulnerability

Targeted Attack Threat actor chooses a target for a specific objective

Opportunistic Attack Threat actor takes advantage of a vulnerable target (not previously
known to them)
Incident Event that potentially compromises the confidentiality, integrity,
and/or availability of information or information system
Threat Modeling Approach to identifying and categorizing potential threats
1.10 Threat Modeling
Click to edit Master title style
Threat modeling is an approach to identifying and categorizing
potential threats:
• Attacker-centric threat models starts with identifying an attacker and then
evaluates the attacker’s goals and potential techniques.
• Architecture-centric threat models focus on system design and potential
attacks against each component.
• Asset-centric threat models begin by identifying asset value and motivation
of threat agents.
1.10 Threat Analysis
Click to edit Master title style
Question Factor
1 Why would an adversary target my organization? Motivation
How hard would it be for an adversary to achieve their
2 Workfactor
objective?
3 Are we aware of the latest threats, tools, and techniques? Threat Intelligence

4 Would we know if we were being attacked? Threat Detection

5 Are we prepared to respond to an attack? Resiliency

1.10 Attack Vectors
Click to edit Master title style
Category Description
Disruption, manipulation, or compromise of network or host
hardware, services, application, data, or transmission
Digital
• Subset is cryptographic which is disruption, manipulation, or
Infrastructure
compromise of cryptographic algorithms, protocols, services,
applications, or data
Human Disruption, manipulation, or compromise of people
Physical
Disruption or destruction of physical structures and facilities
Infrastructure
1.10 Digital Infrastructure Attack Categories
Click to edit Master title style
Category Description
Impersonating an address, system, or person
Spoofing • Enables an attacker to act as the trusted source and redirect/manipulate
actions
Manipulating a trusted source of data (e.g. DNS)
Poisoning
• Enables an attacker to control the trusted source of data
Intercepting communication between two or more systems
Hijacking
• Enables an attacker to eavesdrop, capture, manipulate, and/or reuse data
packets
Denial of Overwhelming system resources
Service (DoS) • Enables an attacker to make services unavailable for their intended use
Exploiting weaknesses in server- or client-side code or applications
Code
• Enables an attacker to take control
1.10 Defense-in-Depth | Layered Security
Click to edit Master title style
Controls are typically applied in multiple layers because no
single control can protect an asset from every type of
threat:
• This architecture is referred to as defense in depth or layered
security.
1.11 Supply Chain Risk Management
Click to edit Master title style
A supply chain is an ecosystem of organizations, processes,
people, and resources involved in providing a product or service.
Critical supply chain vendors and service providers should be
included in the organizational risk management program.
Expectations must be communicated.
• Use clear and consistent language in describing security requirements and
expectations.
• Provide baseline security requirements for products and services.
• Embed requirements in contracts and service-level agreements.
1.11 Supply Chain Assurance
Click to edit Master title style
Assurance mechanisms include due diligence, inspection,
assessment, and audit reports.
• Most common information technology and security-related independent
audit report is an AICPA SSAE 18 SOC (formally SAS70 / SSAE 16).
1.12 Shared Responsibility
Click to edit Master title style
No individual, business, or government entity is solely
responsible for cyber security. Everyone has a role to play.
• It is important to keep in mind that most individuals either aren’t aware of
potential dangers and/or security and privacy best practices.
• On-going education is essential.
• Educational programs should stress that individual actions matter and that
adherence to best practices, policies, and regulations are critical (and
expected).
• Educational programs should be tailored to roles and audience.
1.12 The NIST SETA Model (SP 800-50)
Click to edit Master title style
SETA - Security Education, Training, and Awareness
Security Education Training Awareness
Attribute Why How What
Level Insight Knowledge Information
Objective Understanding Skill Awareness
Teaching Method Discussion, seminar, Lecture, case study, Interactive, video,
reading hands-on posters, games
Test Measure Essay Problem solving True or false, multiple
choice
Impact Long-term Intermediate Short-term
Timeframe
 Domain 1 Security & Risk Management
Click to edit Master title style
1.1 Understand and apply the concepts of 1.7 Identify, analyze, and prioritize Business
confidentiality, integrity and availability Continuity (BC) requirements
1.2 Evaluate and apply security governance principles 1.8 Contribute to and enforce personnel security
policies and procedures
1.3 Determine compliance requirements 1.9 Understand and apply risk management concepts

1.4 Understand legal and regulatory issues that 1.10 Understand and apply threat modeling concepts
pertain to information security in a global and methodologies
context
1.5 Understand, adhere to, and promote professional 1.11 Apply risk-based management concepts to the
ethics supply chain
1.6 Develop, document, and implement policies, 1.12 Establish and maintain a security awareness.
standards, procedures, and guidelines education, and training program
Assessment Q1
Click to edit Master title style
Which statement best describes data integrity?
A. The system works as intended.
B. Code is bug free.
C. Resource utilization is logged and monitored.
D. Information can be trusted to be complete, consistent, and accurate.
Assessment Q2
Click to edit Master title style
At a minimum, which employee agreement should include rules
for how to interact with information systems, sanctions for
violations, and privacy expectations?
A. Acceptable Use Policy Agreement
B. Non-disclosure Agreement
C. Employment Agreement
D. Confidentiality Agreement
Assessment Q3
Click to edit Master title style
Which statement does not describe a control?
A. A tactic or strategy that reduces or eliminates vulnerability.
B. A tactic or strategy that reduces or eliminates likelihood of exploit.
C. A tactic or strategy that reduces or eliminates impact of exploit.
D. A tactic or strategy that reduces or eliminates expense.
Assessment Q4
Click to edit Master title style
Which of the following quantitative risk assessment formulas is
true?
A. AV=EF*Cost of Asset
B. ALE=SLE*ARO
C. SLE=EF*ARO
D. ARO=EF*SLE
Assessment Q5
Click to edit Master title style
Maximum tolerable downtime (MTD) relates to _____________.
Recovery point objective (RPO) relates to ____________.
A. business functions, system resources
B. system resources, data loss
C. length of outage, system resources
D. business functions, data loss
Break Time !
Click to edit Master title style
 DAY 1 Segment #2
Click to edit Master title style

Domain 2:
Asset Security
Examination Average Weight 10%
 Domain 2 Asset Security
Click to edit Master title style
2.1 Identify and classify information and assets 2.4 Ensure appropriate asset retention
2.2 Determine and maintain information and 2.5 Determine data security controls
asset ownership
2.3 Protect privacy 2.6 Establish information and asset handling
requirements
2.1 Asset Classification
Click to edit Master title style
The purpose of asset classification is to ensure that assets are
properly identified and protected throughout their lifecycle.
Asset classifications inform handling instructions, control
decisions, audit scope, and regulatory compliance activities.
• Information assets are generally classified by content (e.g. top secret,
secret, classified, SBU).
• Infrastructure and physical assets are generally classified by criticality of
the services they provide.
2.1 Classification Schemas
Click to edit Master title style
Classification schemas vary by sector.
• Government and military classification schemes include:
• U.S. Federal government classification system (FIPS 199)
• Military and national security classification (systems and information)
• Classification schemes are discretionary for the private sector
2.2 Asset Ecosystem
Click to edit Master title style
Directors &
Executive
Management

Owners

Custodians

Users
2.2 Asset-related Roles and Responsibilities
Click to edit Master title style
Role Responsibility
Directors & Responsible for governance and oversight. From a legal and
Executive regulatory perspective, they are ultimately responsible for the actions
Management (or inaction) of the organization.
Information Security Responsible for protecting the security and privacy of assets.
Officer Responsible for identifying threats, vulnerabilties and risks.
Privacy Officer Responsible for the identification of and ensuring compliance with
Compliance Officer
applicable organizational, regulatory, and contractual requirements.
Owners Responsible for decisions related to classification, and access control,
and oversight of protection mechanisms.
Custodians Responsible for implementing, managing, and monitoring controls.
Users Responsible for treating data and interacting with information
systems in accordance with organizational policy and standards.
2.3 Privacy
Click to edit Master title style
Privacy is the right of the individual to control their personal
data.
• Data collection should be restricted.
• Data owners have a responsibility to respect and enforce privacy principles.
• Data processes should ensure enforcement of privacy and data integrity.
• Data remanence techniques should be used to permanently delete data.
• Reference – OECD Privacy Principles www.oecd.org
2.3 OECD Privacy Principles
Click to edit Master title style
1. Collection Limitation Principle
• There should be limits to the collection of personal data, and any such data
should be obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
2. Data Quality Principle
• Personal data should be relevant to the purposes for which it is to be used,
and, to the extent necessary for those purposes, should be accurate,
complete, and kept up to date.
2.3 OECD Privacy Principles cont’d
Click to edit Master title style
3. Purpose Specification Principle
• The purposes for which personal data is collected should be specified not
later than at the time of data collection.
4. Use Limitation Principle
• Personal data should not be disclosed, made available, or otherwise used
for purposes other than those specified except with the consent of the
data subject or by the authority of law.
2.3 OECD Privacy Principles cont’d
Click to edit Master title style
5. Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against
such risks as loss or unauthorized access, destruction, use, modification, or
disclosure of data.
6. Openness Principle
There should be a general policy of openness about developments, practices,
and policies with respect to personal data. Means should be readily available of
establishing the existence and nature of personal data and the main purposes
of their use, as well as the identity and usual residence of the data controller.
2.3 OECD Privacy Principles cont’d
Click to edit Master title style
7. Individual Participation Principle
• An individual should have the right
a) To obtain from a data controller, or otherwise, confirmation of
whether the data controller has data relating to him
b) To have communicated to him, data relating to him
c) To be given reasons if a request made and, if denied, be able to
challenge such denial
d) To challenge data relating to him and, if the challenge is successful
to have the data erased, rectified, completed, or amended
2.3 OECD Privacy Principles cont.
Click to edit Master title style
8. Accountability Principle
• A data controller should be accountable for complying with measures
which give effect to the principles stated above.
2.3 Privacy Threshold Assessment
Click to edit Master title style
The purpose of the Privacy Threshold Assessment (PTA) is to
identify PII that has been acquired by the organization and to
determine how to appropriately treat the data.
PTAs generally include the following information:
• Description of the system
• What PII, if any, is collected or used
• From whom is the PII collected and why
• Archiving requirements
• Protection requirements (regulatory, contractual, ethical)
2.3 Privacy Impact Assessment
Click to edit Master title style
A Privacy Impact Assessment (PIA) is a decision-making tool
used to identify and mitigate privacy risks at the beginning
of and throughout the development life cycle of a program
or system.
PIAs generally include the following information:
• Description of the system
• What PII, if any, is collected or used
• Why it is being collected
• From whom is the PII is collected
• Privacy requirements (regulatory, contractual, ethical)
• How it will be used, accessed, secured, shared and stored
2.4 Information Lifecycle
Click to edit Master title style
Use

Collection Deletion
Destruction
http://www.oecd.org/
Retention
Archiving Legal Hold
2.4 Retention and Archiving
Click to edit Master title style
Retention is a protocol (set of rules) within an organization that
dictates types of unaltered data that must be kept and for how
long.
• Legal and regulatory requirement must be considered.
Archiving is the process of securely storing unaltered data for
later potential retrieval.
• Backup and replication is the process of making copies of data to ensure
recoverability. They are distinct processes.
2.4 Legal Hold and eDiscovery
Click to edit Master title style
A legal hold is the requirement for an organization to preserve
all forms of relevant information when litigation, audit, or
government investigation is reasonably anticipated. The
objective is to avoid evidence spoliation.
• A legal hold supersedes organizational retention policies.
• eDiscovery (also called electronic discovery) refers to any process in which
electronic data is sought, located, secured, and searched with the intent of
using it as evidence in a civil or criminal legal case.
2.4 Data Remanence
Click to edit Master title style
Data remanence is the residual representation of digital data
that remains even after attempts have been made to remove or
erase the data. Techniques to counter data remanence include:
• Clearing which is the removal of data is such a way that data cannot be
recovered using normal system functions of recovery utilities.
• Purging which is the removal of data that cannot be reconstructed by any
known technique.
• Destruction which is the physical act of destroying media in such as way
that it cannot be reconstructed.
2.5 Anti-Remanence Techniques
Click to edit Master title style
Technique Description Result
Wiping Overwrites all addressable storage and indexing Clearing
locations multiple times
Degaussing Using a electromagnetic field to destroy all Purging
magnetically recorded data
Shredding Physically breaking media into pieces Destruction
Pulverizing Reducing media to dust Destruction
Pulping Chemical altering media Destruction
Burning Incinerating media Destruction
2.5 Data Security Controls Decisions
Click to edit Master title style
Data security control decisions are generally related to:
• Data classification (e.g. protected, confidential, and public)
• Data state (point in time)
• Data at rest (persistent storage — e.g. disk, tape)
• Data in use (CPU processing or in RAM)
• Data in transit (transmission)
Common data protection controls include access management,
cryptography, and obfuscation.
2.6 Handling Standards and Labels
Click to edit Master title style
Handling standards inform custodians and users how to interact
with information assets.
• Handling standards are generally related to classification, data state, and
legal or regulatory requirements.
Labels are used to identify assets so users can apply the appropriate
handling standard.
• Labeling is influenced by the intended audience.
• Labels can be digital, print, audio, or visual.
• Noted on or in a document (e.g. CONFIDENTIAL)
• Written on or attached to media
 Domain 2 Asset Security
Click to edit Master title style
2.1 Identify and classify information and assets 2.4 Ensure appropriate asset retention
2.2 Determine and maintain information and 2.5 Determine data security controls
asset ownership
2.3 Protect privacy 2.6 Establish information and asset handling
requirements
Assessment Q1
Click to edit Master title style
_________ is the right of an individual to control the use of his
or her personal information.
A. Security
B. First amendment
C. Habeas Corpus
D. Privacy
Assessment Q2
Click to edit Master title style
An individual or group that is responsible for decisions related to
classification and oversight of protection mechanisms.
A. owner
B. executive
C. custodian
D. administrator
Assessment Q3
Click to edit Master title style
This is the process of securely storing unaltered data for later
potential retrieval.
A. Backup
B. Replication
C. Retention
D. Archiving
Assessment Q4
Click to edit Master title style
The residual representations of digital data even after attempts
to remove or erase is known as _______________?
A. data clusters
B. data remanence
C. data bits
D. data slack
Assessment Q5
Click to edit Master title style
Which of the following is the most important reason an
information asset should have a visible data classification label?
A. Inventory control
B. User recognition
C. Regulatory compliance
D. Asset management
Break Time !
Click to edit Master title style
 DAY 1 Segment #3
Click to edit Master title style

Domain 3:
Security Architecture and Engineering
Examination Average Weight 13%
 Domain 3 Security Architecture and Engineering
Click to edit Master title style
3.1 Implement and manage engineering 3.7 Assess and mitigate vulnerabilities in
processes using secure design principles mobile systems
3.2 Understand the fundamental concepts of 3.8 Assess and mitigate vulnerabilities in
security models embedded devices
3.3 Select controls based on systems security 3.9 Apply cryptography
requirements
3.4 Understand security capabilities of 3.10 Apply security principles to site and
information systems facility design
3.5 Assess and mitigate vulnerabilties of 3.11 Implement site and facility security
security architectures, designs, and solution controls
elements
3.6 Assess and mitigate vulnerabilities in web-
based systems
3.1 Secure Design & Engineering Objectives
Click to edit Master title style
Security must be incorporated and addressed from
the initial planning and design phases through
disposal of the system.
• Without proper attention to security, an organization’s
information technology can become a source of significant
risk.
• With careful planning from the earliest stages, however,
security becomes an enabler to achieve the organization’s
mission.
3.1 NIST SP 800-160
Click to edit Master title style
Systems Security Engineering: Considerations for a
Multidisciplinary Approach in the Engineering of Trustworthy
Secure Systems
• SP 800-160 addresses the engineering-driven actions necessary to develop
more defensible and survivable systems—including the components that
compose and the services that depend on those systems.
• Aligned with the international standard ISO/IEC/IEEE 15288.
3.2 Information Security Models
Click to edit Master title style
Information security models focus on interactions and provide
structure and rules to be followed to accomplish a specific
objective (e.g. confidentiality, integrity, and availability).
• Foundational (lower-level) models include State Machine, Non-
Interference, and Information Flow.
• Relationship (higher-level) models include Bell-LaPadula, Biba, Clark-
Wilson, and Brewer Nash.
3.2 Foundational Models (lower-level)
Click to edit Master title style
Model Description
State Conceptual model that ensures that no matter what activity is taking
place within a system, it is always trustworthy.
Non-interference Whatever happens at one security level does not directly or indirectly
(multilevel) affect the security environment of other levels.
Information Flow Information will flow only in ways that do not violate the security policy
(multilevel) of the system.

If any of the foundational models are proven false, then the security of the system cannot
be relied upon regardless of the implementation of higher-level security models.
3.2 Relationship Models (higher-level)
Click to edit Master title style
Model Description Objective
Bell- Subjects cannot read [simple] data that has a higher classification . Confidentiality
LaPadula Subjects cannot write [*] to an object at a lower security level.
No Read Up – No Write Down
Biba Subjects cannot read [simple] data that has a lower classification. Integrity
Subjects cannot write [*] to an object at a higher security level.
No Read Down – No Write Up
Clark Well-formed transactions ensure that a user cannot alter data Integrity
Wilson arbitrarily. Instead, data can be altered only in a specified way in
order to preserve its internal consistency (access triple).

Brewer Context-oriented commercial model designed to defend against Conflict

Nash conflicts of interest. Access controls that change dynamically
depending upon a user’s previous actions.
3.3 Security Evaluation Objectives
Click to edit Master title style
A Trusted System has undergone sufficient benchmark testing,
verification, and validation (by an independent third party) to
ensure that the product meets the users requirements.
• Functionality is verification that a security control exists and that it works
correctly at least once.
• Assurance is a degree of confidence that the system will act in a correct
and predictable manner in every computing situation (trustworthy
computing).
3.3 Security Evaluation Criteria
Click to edit Master title style
Criteria Description Function
TCSEC Developed in 1983, Trusted Computing System Original publication as the
Evaluation Criteria (TCSEC) was used to evaluate, orange book. Expanded to 20+
classify, and select systems for the DoD based upon books known as the rainbow
confidentiality requirements. Superseded by the series.
Common Criteria.
ITSEC Developed in 1991 by a consortium of European Functionality and assurance
nations, IT Security Evaluation Criteria (ITSEC) is used evaluated independently and
to evaluate the functionality and assurance of a separately.
computer system based upon a vendor-defined set
of requirements.
Common Developed in 1993 by the ISO, the Common Criteria The Common Criteria evaluates
Criteria provides a universal structure and language for products against a protection
expressing product and system requirements profile and results are published.
3.4 Trusted Computing Base
Click to edit Master title style
Trusted Computing Base is the combination of all the security
mechanisms within a computer including hardware, software, and
firmware.
3.4 Hardware/Firmware Security Components
Click to edit Master title style
Acronym Name Description
BIOS Basic Input Output System Non-volatile firmware
BIOS replacement. Requires firmware
UEFI Unified Extensible Firmware Interface
updates to be digitally signed
Secure Boot Secure Boot Requires trusted attestation
Chip that protects cryptographic keys,
TPM Trusted platform module
hashes, and certificates
HSM Hardware security module Device used for cryptoprocessing
Full disk encryption/self-encrypting Hardware-based mechanism for
FDE / SED
drives automatically encrypting magnetic media
Controls how processes are executed and
CPU Rings Conceptual boundaries
level of trust
3.4 Single Point of Failure
Click to edit Master title style
Single point of failure (SPOF) can be any technology component
whose failure impacts the availability of the entire system.
• SPOFs can be anywhere in the dependency chain
• Need to identify SPOF and their business impact
• Investments in system survivability using high availability and fault-
tolerant technologies
3.5 Architecture Vulnerability
Click to edit Master title style
Configuration Description Advantage Vulnerability
Centralized Centralized processing Tightly controlled Impact to entire platform
Client/ Inherent trust Flexibility Every connection a
Server potential attack conduit
Distributed No central authority Distributed ownership Distributed management

Large Scale Disparate systems working Force multiplier effect Data aggregation
(Parallel) in concert (e.g. cluster) (increase in capability)
Grid Sharing of CPU and other Power (e.g. seti@home Distributed management
resources across a network project) and authentication
ICS /SCADA Embedded systems that Power complex systems Weak authentication,
monitor and control such as electric grid outdated OS, inability to
industrial processes patch, remote access
3.5 Cloud Deployment Models
Click to edit Master title style
Model Description Considerations
Location
Public Cloud Provisioned for public use
Multitenancy
Community Cloud Provisioned for the exclusive use by a well defined group Multitenancy
Private Cloud Provisioned for the exclusive use of a single organization Scalability
3.5 Cloud Service Models - SaaS
Click to edit Master title style
Model Provided Impact Considerations
The customer does not manage or control the • Availability
underlying cloud infrastructure including • Maintenance
SaaS Computing network, servers, operating systems, storage, • Vulnerability
Resources + or even individual application capabilities Management
Software Operating The customer uses the provider’s applications • Confidentiality
as a System + running on a cloud infrastructure • Privacy
Service Application The customer has control over limited user- • Data Ownership
specific application configuration • Multitenancy
• Testing
3.5 Cloud Service Models - PaaS
Click to edit Master title style
Model Provided Customer Impact Considerations
The customer does not manage or control the
underlying cloud infrastructure, operating • Availability
Computing system, programming languages, tools, and • Maintenance
PaaS Resources + platform • Vulnerability
Operating The customer deploys onto the cloud Management
Platform as System + infrastructure created or acquired applications • Confidentiality
a Service (optionally, The customer has control over deployed • Privacy
database) applications and possibly configuration settings • Data
for the application-hosting environment Ownership
3.5 Cloud Service Models—IaaS
Click to edit Master title style
Model Provided Customer Impact Considerations
The customer does not manage or control the
underlying cloud infrastructure
The customer can provision processing,
IaaS “Bare storage, networks, and other fundamental • Availability
metal” computing resources • Maintenance
Infrastructure Computing The customer has control over the operating • Vulnerability
as a Service Resources system, storage, and deployed applications Management
and possibly limited control of select
networking components (e.g. host firewalls)
3.5 Cloud Access Security Brokers
Click to edit Master title style
Cloud access security brokers (CASBs) are security policy points
(software or appliance) placed between “the cloud” and
enterprise users.
• Security policies are interjected as cloud-based resources are accessed. For
example, authentication, encryption, visibility, and DLP.
• Provides control over shadow IT applications.
• Shadow IT is used to describe the use of IT solutions that are managed
outside of and without the knowledge of the IT department.
• CASBs proxy traffic and use auto discovery to identify cloud applications.
3.5 Security-as-a-Service
Click to edit Master title style
Security-as-a-Service (SecaaS) is the delivery of managed security
services for public, private, and hybrid cloud environments.
• SecaaS relieves the burden of relying on the SaaS, PaaS, or IaaS vendor for
security protection and enforcement.
• Services include encryption, activity monitoring, DLP, malware detection,
filtering, firewall, policy enforcement, email security, intrusion detection,
authentication, and more.
• The cloud security market is expected to reach $8.71 billion by 2019.
3.6 Web Vulnerabilities
Click to edit Master title style
Web systems are particularly vulnerable due to their level of
exposure, accessibility, and rapid rate of change.
• Security misconfiguration can happen at any level of an application stack,
including the platform, web server, application server, database,
framework, and custom code.
• System owners, developers, and system administrators need to work
together to ensure that the entire stack is configured properly.
• Resource http://www.owasp.org
3.6 Improper Input/Output Validation
Click to edit Master title style
Vulnerability Description Impact
Tricking an application into including
Can result in database,
unintended commands in the data
Injection schema, account, and/or
sent to an interpreter (e.g. OS, LDAP,
operating system access.
SQL).
Injection of malicious code into a Can result in user session
vulnerable web application or back- hijack, redirection to malware
Cross-Site Scripting
end database that will execute scripts distribution site, or bypassing
in a victim’s browser. access controls.
Tricking a web browser into executing
Can result in data theft,
Cross-Site Request a malicious action on a trusted site for
unauthorized funds transfers,
Forgery (CSRF/ XSRF) which the user is currently
credential modifications, or
authenticated. CSRF exploits the trust
stolen session cookies.
that a site has in a user's browser.
3.6 OWASP 2017 #1 Injection
Click to edit Master title style
Element Description
Vulnerability Injection
Tricking an application into including unintended commands in the data
Description
sent to an interpreter (e.g. OS, LDAP, SQL)
Flaw Improper input/output validation
Impact Can result in unauthorized access, data exfiltration, and data corruption
• Use of “safe” API
Mitigation
• Positive “whitelist” input and output validation
3.6 Injection Illustrated (SQL)
Click to edit Master title style

Attacker sends an Application forwards

Application presents
attack string (SQL the attack string to
a form to the
query) in the form the DB in a SQL
attacker
data query

DB runs the query

and sends the results Application sends
back to the results to the
Attacker
Application
3.7 OWASP Mobile Top 10 Vulnerabilties
Click to edit Master title style
M3: Insufficient
M1: Weak Server M2: Insecure Data M4: Unintended
Transport Layer
Side Controls Storage Protection Data Leakage

M5: Poor M8: Security

M6: Broken M7: Client-Side
Authorization and Decision via
Cryptography Injection
Authentication Untrusted Inputs

M9: Improper M10: Lack of

Session Handling Binary Protections
3.8 Embedded System (IoT)
Click to edit Master title style
An embedded system is an electronic product that contains a
microprocessor and software designed to perform a specific
task. An embedded system can be either fixed or programmable.
• Embedded systems are found in consumer, cooking, industrial, automotive,
medical, commercial, and military applications.
• Embedded systems range from very small personal devices to large-scale
environments. For example, digital watches, health meters, printers/MFDs,
camera systems, routers, sensor traffic lights, automotive safety, and
industrial control systems.
• The Internet of Things (IoT) sensors and actuators embedded in physical
objects—from roadways to pacemakers—are linked through wired and
wireless networks provide a pathway for attack.
3.9 Cryptography
Click to edit Master title style
Cryptography is the science of secret writing that enables an
entity to store transmit data, and process in a form that is only
available to an intended recipient.
Primary cryptographic use cases and corresponding techniques
include:
• Confidentiality (encryption)
• Integrity (hashing)
• Non-repudiation (digital signatures)
• Authentication (digital certificate)
• Obfuscation (encryption, steganography)
3.9 Cryptographic Terminology — Cipher
Click to edit Master title style
Term Description
Plaintext (cleartext) Human readable text
Ciphertext Encrypted and/or human unreadable text
Cipher A technique that transforms plaintext into ciphertext and back to cleartext
Algorithm A cryptographic algorithm is a mathematically complex modern cipher
Stream Cipher Algorithm that works with one bit at a time
Block Cipher Algorithm that works with blocks of data
3.9 Cipher Terminology - Techniques
Click to edit Master title style
Technique Description
Substitution cipher replaces one character or bit for another character or
Substitution Cipher
bit.
Transposition cipher moves characters or bits to another place within the
Transposition Cipher
message block.
Confusion is the process of changing the values
Confusion
Complex substitution functions are used to create confusion
Diffusion is the process of changing the order
Diffusion Sending bits through multiple rounds of transposition is used to create
diffusion.
3.9 Cryptographic Terminology - Key
Click to edit Master title style
Term Description
Secret value used with an algorithm
Key /
• The key dictates what parts of the algorithm will be used, in what order, and
Cryptovariable
with what values
Number of possible key combinations
Key Space
• e.g. 256-bit = 2256 = 1.1578 x 1077 possible keys
Key Stretching The initial key is fed into an algorithm that outputs an enhanced (stronger) key.
Symmetric Using a single key
Asymmetric Using two mathematically related keys (public / private)
Public Key Key that is publicly distributed
Private key Corresponding key that is secured by the owner.
3.9 Symmetric Encryption Illustration
Click to edit Master title style

Cipher
Plaintext Ciphertext
(DES, 3DES, AES)

Cipher
Plaintext
(DES, 3DES, AES)
3.9 Asymmetric Illustration
Click to edit Master title style

Cipher
Cleartext (RSA, ECC, Diffie- Ciphertext
Hellman, El Gamal)

Cipher
(RSA, ECC, Diffie- Cleartext
Hellman, El Gamal)
3.9 Key Pairs in Action for Encryption
Click to edit Master title style
Alice has a key pair.
‒ She freely distributes her public key.
‒ She securely stores her private key.

Bob has a key pair.

‒ He freely distributes his public key.
‒ He securely stores his private key.
3.9 Message Flow – Hybrid Solution
Click to edit Master title style
Symmetric Symmetric
Plaintext Encrypted Plaintext
Cipher Cipher
message message message
[Session Key] [Session Key]

Alice wants to send Bob a encrypted message:

Asymmetric Cipher + Encrypted Asymmetric Cipher +

Session Key Session Key
Bob’s Public Key Session Key Bob’s Private Key
3.9 Hashing
Click to edit Master title style
Hashing produces a visual representation of a data set.

The original message remains intact.

Salts are values appended to the input to strengthen the output.
Hash Calculation
Click to edit Master title style
3.9 Message Digest in Action
Click to edit Master title style
Alice puts message
through a hashing Alice sends message
algorithm and and message digest to
generates a message Bob
digest (hash) value

Bob puts message

Bob receives the through a hashing
Bob compares both
message and the algorithm and generates
message digests
message digest a message digest (hash)
value

If the message digests

If the message digests
are the same—the
are different—the
message was not
message was modified
modified in
in transmission
transmission
3.9 Hash Attacks
Click to edit Master title style
Attack Description

Collision Using mathematical technique to force two inputs into producing the same
hash value.
The hash method used cannot be relied upon anymore to identify different
data.
Birthday Exploits the mathematics behind the birthday problem in probability
theory to cause a collision.
Pass-the Hash Using captured hashed credentials from one machine to successfully gain
control of another machine.
3.9 Digital Signature
Click to edit Master title style
A digital signature is a message digest that has been encrypted
using a private key and digital signature algorithm (RSA, DSA).
3.9 Digital Signature in Action
Click to edit Master title style
3.9 Digital Certificates
Click to edit Master title style
Digital Certificates are the mechanism used to generate a private
key and to associate a public key with a collection of
components sufficient to authenticate the claimed owner.
• The X.509 standard defines the certificate format and fields for public keys.
• The X.509 standard defines the distribution procedures.
• The current version of X.509 for certificates is v3.
3.9 Types of Digital Certificates (Use)
Click to edit Master title style
Type User
Personal Verifies a user identity (generally used for email)
Server
Verifies a server identity
(Machine/Computer)
Verifies a web domain
Domain Validation • Wildcard certificate can be used with multiple subdomains of a domain
(e.g. *.example.com)
Organization Verifies a web domain and an organization
Verifies a web domain and an organization subject to additional vetting
Extended Validation
(a.k.a. “green bar”)

Code / Object signing Verifies origination/ownership as well as object integrity

Trusted/Intermediate Identifies root and intermediate Certificate Authorities

3.9 Self-signed Certificate
Click to edit Master title style
A self-signed certificate is signed by the person creating it.
• The advantage is that there is no additional expense.
• The disadvantages are that a self-signed certificate can easily be
impersonated, will present the user with a warning message and cannot be
revoked.
• Use cases include an internal development server.
3.9 Trust Models (Chain of Trust)
Click to edit Master title style
A Trust Model defines how users trust other users, organizations, CAs and RAs within the PKI.
Model Description
Web of Trust No central authority. Each user creates and signs their own certificate. Users
sign each others’ public key indicating “trust”
Third party (Single A central third-party Certificate Authority (CA) signs a key and authenticates
Authority) Trust the owner.
Hierarchical Model Extension of third party in which root CAs issue certificate to lower-level
“intermediate” CAs who can then issue certificates. Trust is inherited.
• Offline root CA is one that is isolated from a network and is often kept
powered down to prevent compromise.
• A Registration Authority (RA) offloads some of the work from the CA.
The RA can accept and process registration requests and distribute
certificates.
• A Local Registration Authority (LRA) requires physical identification.
3.9 Certificate Lifecycle
Click to edit Master title style
CSR – Certificate
Certificate is
Signing Request Certificate is issued
published
(CSR)

Certificate is
Certificate is
suspended/revoked Key is destroyed
received
or expired
3.9 Certificate Revocation
Click to edit Master title style
Action Description
Suspension Temporary revocation of a certificate until a certificate problem
can be resolved.
Revocation Permanent withdrawal of trust by issuing authority before
scheduled expiration date.
Certificate Revocation List CA-maintained list of certificates that have been revoked
(CRL) • Pull model – CRL is downloaded by the user or organization
• Push model – CRL is automatically sent out by the CA at
regular intervals
Online Certificate Status Process designed to query the status of certificate in real-time.
Protocol (OCSP) • OCSP stapling is a time-stamped (cached) OCSP response
3.9 Crypto Attack Categories
Click to edit Master title style
Intention is to break a cryptosystem and find the plaintext from the
ciphertext. The attacker’s objective is to identify the key.
Object Description
Ciphertext Only A sample of ciphertext is available without the plaintext
associated with it.
Known Plaintext A sample of ciphertext and the corresponding known plaintext
is available.
Chosen Plaintext Can choose the plaintext to get encrypted and obtain the
corresponding ciphertext.
Chosen Ciphertext Can select the ciphertext and obtain the corresponding
plaintext
3.9 Key Attacks
Click to edit Master title style
Attack Description
Brute Force Every possible key is tested (online/offline)
Dictionary List of known keys tested
Frequency Looking for patterns to reveal the key
3.9 Cryptography Controls Review
Click to edit Master title style
Encryption is used to insure confidentiality
Hashing is used to prove integrity.
Digital signatures are use to provide non-repudiation.
Digital Certificates are used for authentication.
3.10 Building Security
Click to edit Master title style
Building and facility security focuses primarily on preventive,
deterrent, and detective access controls and workplace safety.
Physical security is based upon a layered defense model.
• Obstacles to frustrate trivial attackers and delay serious ones
• Detective controls make it likely that attacks will be noticed
• Response mechanisms to repel, catch, or frustrate attackers
3.10 Building Security
Click to edit Master title style
Control Description
Lighting Lighting for personnel safety and intruder deterrence
• Intruders are less likely to enter well-lit areas
• Lighting can be continuous, motion triggered, random, timed, or standby
• Lighting should be damper proof and have a backup power supply
Signs Signs for personnel safety and intruder deterrence
• Warning signs indicate surveillance (“someone is paying attention”)
Physical Barrier Fences, walls, gates, barricades, bollards, and mantraps define the perimeter.
• They serve to prevent, deter, or delay (increase workfactor) an attack.
Surveillance Surveillance technologies such as IDS/IPS, closed-circuit TV (CCTV) and camera
systems can be used to monitor, detect (and report) suspicious, abnormal, or
unwanted behavior.
Security Guards Security personnel may be stationed at checkpoints, patrol the area, manage
surveillance, and respond to breaches and/or suspicious activity.
3.11 Environmental Impact
Click to edit Master title style
Computers, electronic equipment, and transmission media are
sensitive to environmental factors such as heat, humidity, air
flow, and power quality.
• Environmental imbalance can impact stability, availability, and integrity.
3.11 Environmental Security
Click to edit Master title style
Element Description
Heat Acceptable temperature is between 70–74 degrees.
Humidity Acceptable relative humidity is between 45–60%.
Fire Fire protection is comprised of four elements – prevention, detection,
containment and suppression
Power Electrical power supplied to electronic devices must have consistent voltage and
a minimum of interference. Devices need to be protected against surges, spikes,
sags, brownouts, and blackouts.
EMI\RFI Equipment should have limited exposure to magnets, fluorescent lights, electric
motors, space heaters, and wireless access points. Copper and coax cable should
be shielded.
Air Flow Hot Aisle / Cold Aisle configuration for data center racks
3.11 Data Center Air Circulation Issue
Click to edit Master title style
3.11 Hot Aisle / Cold Aisle Circulation
Click to edit Master title style
 Domain 3 Security Architecture and Engineering
Click to edit Master title style
3.1 Implement and manage engineering 3.7 Assess and mitigate vulnerabilities in
processes using secure design principles mobile systems
3.2 Understand the fundamental concepts of 3.8 Assess and mitigate vulnerabilities in
security models embedded devices
3.3 Select controls based on systems security 3.9 Apply cryptography
requirements
3.4 Understand security capabilities of 3.10 Apply security principles to site and
information systems facility design
3.5 Assess and mitigate vulnerabilties of 3.11 Implement site and facility security
security architectures, designs, and solution controls
elements
3.6 Assess and mitigate vulnerabilities in web-
based systems
Assessment Q1
Click to edit Master title style
The rules for this conceptual model are – no read up and no
write down. This is the _______ model and the objective is
___________.
A. Biba, integrity
B. Bell-LaPadula, confidentiality
C. Biba, confidentiality
D. Bell-LaPadula, integrity
Assessment Q2
Click to edit Master title style
Which system(s) are particularly vulnerable to exploit due
to weak authentication, outdated operating systems, and
limited (if any) maintenance window.
A. Cloud
B. Client/Server
C. ICS/SCADA
D. Parallel
Assessment Q3
Click to edit Master title style
Which attack results in scripts being executed in the victim’s
browser?
A. XSS
B. Injection
C. Brute force
D. Pass-the-hash
Assessment Q4
Click to edit Master title style
Which of the following is not a true statement?
A. Public keys should always be securely maintained.
B. A frequency attack focuses on identifying patternsto find the key.
C. Keyspace is the number of possible crypto-variable combinations.
D. Longer keys are harder to break but require more processing power
Assessment Q5
Click to edit Master title style
A __________________ is a message digest that has been
encrypted using a private key.
A. cipher
B. digital certificate
C. digital signature
D. salt
 Day 1 Segment #4
Click to edit Master title style

Study & Test Taking Strategies

Study Plan
Click to edit Master title style
Schedule your exam!
• Create a study plan and stick to it.
• Watch my videos – The Complete CISSP 2nd Edition & The Exam Prep Video
course available on SafariBooksOnline!
• Study with a buddy.
• Make flash cards.
• Talk to yourself, seriously.
The Zen of Studying
Click to edit Master title style
Relax. Breathe deeply. Enjoy
• Remind yourself you can do this.
• Approach the material and the exam with a positive, can-do attitude.
• Don’t think of preparing for and taking the exam as chore – envision it is an
opportunity to validate your knowledge and experience.
• Promise yourself a wonderful indulgence at the completion of this journey.
Day -2Click to edit Master title style
Tom
Join me tomorrow for Part II of the CISSP Crash Course.
• Segment 1: Domain 4 Communication and Network Security
• Segment 2: Domain 5 Identity and Access Management (IAM)
• Segment 3: Domain 6 Security Assessment and Testing
• Segment 4: Domain 7 Security Operations
• Segment 5: Domain 8 Software Development Security
• Segment 6: Preparing for Test Day!

Day 1 feedback - I encourage you to send me an email –

[email protected].
Until tomorrow ….. Have a great day/evening.