Thomas Rayner

CISSP Study Notes

2025-01-21T07:30:00-08:00

A little while ago, I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Twitter (@MrThomasRayner) told me there is interest in seeing my study notes. So, here we go! Welcome to my 21 part series on the takeaways and crucial points from each chapter in the ISC2 CISSP official study guide. To be clear, this isn’t a replacement for all those other study methods I mentioned above. This is just a supplement. This also isn’t everything you need to know for the test. This is just what I feel are the most important points.

The CISSP exam is often said to be “a mile wide but only an inch deep” which means you need to know a little bit about a lot of stuff. Accordingly, these posts contain a lot of points and while you might not be questioned on all of them, you could be questioned on any of them. It’s important to have a good grip on every chapter in its entirety.

Notes by Chapter

Reach out

I hope this helps you in your studies. If you have questions, find me online. Did this guide help you? I want to hear from you, too!

Good luck!

CISSP Study Notes Chapter 18 - Disaster Recovery Planning

2021-09-01T07:30:00-07:00

Chapter 18 dives into security assessment and testing, and security operations like implementing recovery strategies, DR processes, and testing disaster recovery plans.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 18 - Disaster Recovery Planning

My key takeaways and crucial points

Managing Incident Response

Disaster recovery plan - covers situations where tensions are already high and cooler heads may not naturally prevail, should be setup to basically run on autopilot and remove all decision making.
Natural disasters
- Earthquake - shifting of seismic plates
- Floods - Gradual accumulation of rainwater, or caused by seismic activity (tsunamis)
  - “100 year flood plain” means there is an estimated chance of flooding in any give year of 1/100
- Storms - Prolonged periods of intense rainfall
- Fires - including wildfires, and man-made, may be caused by carelessness, faulty electrical wiring, improper fire proteciton practices
  - 1000 building fires in the United States every day
- Acts of terrorism - General business insurance may not cover against terrorism
- Bombings/explosions - Including gases from leaks
- Power outages - protected against by uninterruptible power supply (UPS)
- Network, utility, and infrastructure failures
  - Which critical systems rely on water, sewers, natural gas, or other utilities?
  - Think about internet connectivity as a utility.
  - Do you consider people a critical business system? People rely on things like water.
- Hardware/software failures - Hardware components simply wear out, or suffer physical damage.
- Strikes/picketing - human factor. If a large number of employees walk out at the same time, what would happen to your business?
- Theft/vandalism - Insurance provides some financial protection

Understand System Resilience and Fault Tolerance

Single point of failure - SPOF, any component that can cause an entire system to fail.
Fault tolerance - the ability of a system to suffer a fault but continue to operate
System resilience - the ability of a system to maintain an acceptable level of service during an adverse event
Protecting hard drives
- RAID-0 - striping
- RAID-1 - mirroring
- RAID-5 - striping with parity
- RAID-10 - aka RAID-1+0, or a stripe of mirrors
Protecting servers
- Failover - If one server fails, another server in a cluster can take over its load
- Load balancers detect failures and stop sending traffic to the bad server
- Provide fault tolerance
- Many IaaS providers offer load balancing that automatically scales resources as needed
Protecting power sources
- Uninterruptible power supply - UPS, battery supplied power for a short period of time that kicks in when power is lost, while a generator starts up to provide backup power
- Spike - a quick instance of voltage increase
- Sag - a quick reduction in voltage
- Surge - a long instance of a spike
- Brownout - a long instance of a sag
- Transients - noise on a power line that can come from different sources
- Line interactive UPS - include variable voltage transformer that helps adjust to over/under voltage events

Trusted Recovery

Trusted recovery - After a failure, the system is just as secure as it was before
Fail-secure system - defaults to a secure state in the event of a failure, blocking all access
- Firewalls are normally fail-secure
Fail-open system - defaults to an open state, granting access
- Emergency exit doors are normally fail-open to allow people to escape a hazard in an emergency
Manual recovery - After a system failure, it does not fail in a secure state and an administrator needs to perform actions to implement a secured or trusted recovery
Automated recovery - The system can perform a trusted recovery to restore itself against at least one type of failure
Automated recovery without undue loss - Like automated recovery but it also includes mechanisms to ensure that specific objects are protected to prevent their loss
Function recovery - Automatically recover specific functions

Quality of Service

Bandwidth - network capacity
Latency - time it takes a patcket to travel
Jitter - variation in latency
Packet loss - requires retransmission
Interference - electrical noise, faulty equipment

Recovery Strategy

DR plan should be designed so first employees on the scene can immediately start recovery efforts in an organized way, even if official disaster ecovery team isn’t there yet
Insurance can reduce the risk of financial losses
Business unit and functional priorities
- Must engineer DR plan to allow highest priority business units to recover first
- Not all critical functions will be carried out in critical business units
- Perform a business impact assessment (BIA) - Identify vulnerabilities, develop strategies to minimize risk, provide a report that describes risks. Also identify costs related to failures. Results in a prioritization task. Minimum output of BIA is a simple listing of business units in priority order.
Crisis management
- Individuals in business who are most likely to notice an emergency situation should be trained in DR procedures and know proper notification processes
Emergency communications
- Communicate internally during a disaster so employees know what is expected of them
Workgroup recovery
- The goal is to restore workgroups to the point that they can resume their activities in their usual work locations
- May need separate recovery facilities for different workgroups
Alternate processing sites
- Cold site - standby facility, no computing facilities preinstalled. Low cost.
- Hot site - backup facility that is maintained in constant working order, can have replication forced to it or backups taken from primary site to hot site. Higher cost.
- Warm site - between hot and cold sites, contain equipment needed to establish operation, but not the production data, may take 12 hours to become operational.
- Mobile site - self contained trailers or other relocated units
- Service bureau - company that leases computer time
- Cloud computing - ready-to-run images in cloud providers is usually cost-effective
- Mutual assistance agreements - MAA, aka reciprocal agreements are rarely implemented but would mean two organizations pledge to assist each other if there’s a disaster by sharing computing facilities. Difficult to enforce, confidentiality concerns, proximity is an issue.
Database recovery
- Electronic vaulting - database backups are moved to a remote site using bult transfers. Done in batch, not realtime.
- Remote journaling - data transfers are performed in a more expeditious mannar, still in bulk transfer, but done in realtime.
- Remote mirroring - most advanced, most expensive. Live DB server is maintained at the backup site.

Recovery Plan Development

Maintain multiple types of plan documents for different audiences
Checklists
Emergency response - simple but comprehensive instructions for essential personnel to follow immediately upon recognizing that a disaster is in progress. Most important tasks first.
Personnel and communications - List of personnel to contact in the event of a disaster
Backups and offsite storage
- Full backups - complete copy
- Incremental backups - Files that have been modified since most recent full or incremental backup. Only files with archive bit turned on are duplicated, then those vits are turned off.
- Differential backups - Files that have been modified since the last full backup. Only files with archive bit turned on, but the bit is left on afterwards.
- Difference between incremental and differential is the time needed to restored data in an emergency vs time taken to create the backups.
Software escrow arrangement - protects a company against failure of a developer to provide adequate support for products or if the developer goes out of business
External communications may be performed by public relations officials
Logistics refers the problem of moving large numbers of people, equipment, and supplies
Recovery is bringing business operations and processes back to a working state, while restoration involves bringing the facility and environment back to a working state. DRP should define criteria for both.

Training, Awareness, and Documentation

Should have these elements
- Orientation training for new employees
- Initial training on new DR roles
- Detailed refersher training for DR team members
- Awareness refershers for all other employees
DRP should be treated as exteremely sensitive and provided to individuals on a compartmentalized, need-to-know basis

Testing and Maintenance

Read through test - Distribute copies of DR plans and review them
Structured walk through - Table-top exercise with the members of the DR team gather, basically role-playing
Simulation test - Team members are presented with a scenario and asked to develop a response
Parallel test - Relocating personnel to alternate recovery site and implementing site activation procedures
Full-interruption test - Actually shut down the primary site and shift them to the backup site
DR plans are living documents and need maintenance. They should refer to the organization’s business continuity plan as a template.

CISSP Study Notes Chapter 19 - Investigations and Ethics

2021-09-01T07:30:00-07:00

Chapter 19 covers how to understand, adhere to, and promote professional ethics, understanding and supporting investigations, and understanding different investigation types.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 19 - Investigations and Ethics

My key takeaways and crucial points

Investigations

Administrative investigations - internal investigations that examine either operational issues or a violation of the organization’s policies. May transition to another type of investigation.
Root cause analysis - determine the reason that something occured.
Criminal investigations - conducted by law enforcmenet, related to alleged violation of criminal law. Must meet “beyond a reasonable doubt” standard which states there are no other logical conclusions.
Civil investigations - do not involve law enforcement, but involves internal employees and outside consultants working for a legal team. Must meet the weaker “preponderance of the evidence” standard that demonstrates the outcome is more likely than not. Not as rigorous.
Regulatory investigations - government agencies do these when they think there’s been a violation of administrative law. Violations of industry standards.
Electronic discovery
- Information governance - info is well organized
- Identifification - locates the information
- Preservation - protected against alteration or deletion
- Collection - gatehrs the responsive information centrally
- Processing - screens the collected information
- Review - determine what information is responsive to the event
- Analysis - deeper inspection
- Production - place info in a format that it may be shared
- Presentation - show info to witnesses, the court, other parties
Admissible evidence - must be relevant to determining a fact, material/related to the case, competent (obtained legally)
Evidence types
- Real - things that may actually be brought into a court of law, aka conclusive evidence
- Documentary - written items brought to court to prove a fact at hand
- Testimonial - testimony of a witness, can be direct evidence based on their observations, or expert opinions
- Hearsay - something that was told to someone outside of court - not admissible
Best evidence rule - original documents must be introduced, not copies
Parol evidence rule - when an agreement between parties is put into writing, the document is assumed to contain all the terms of the agreement and that no verbal agreement may modify the written agreement
Chain of evidence/custody
- Evidence should be labled with general description, time and date of collection, location evidence was collected from, name of collector, relevant circumstances

Evidence Collection and Forensic Procedures

Actions taken to collect should not change evidence
Person should be trained to access evidence
All activity related to evidence should be fully documented, preserved, available for review
Individuals are responsible for all actions taken
Preserve the original evidence
Network analysis - when incidents take place over a network. Often difficult to reconstruct because networks are volatile, and depend on prior knowledge than an incident is underway or logs.
Software analysis - reviews of applications or activity, or review of software code and log files.
Hardware/embedded device analysis - includes memory, storage systems

Investigation Process

Rules of engagement - define and guide investigative actions
Gathering evidence
- Voluntary surrender - given up willingly, usually when the attacker is not the owner
- Subpoena - or court order, the court compels someone to provide evidence, but this gives the data owner time to alter the evidence and ruin it
- Search warrant - used when you must have access to evidence without alerting evidence owner or other personell, the court allows you to seize evidence
Deciding whether or not to involve law enforcement is challenging because incidents are more likely to become public, and the Fourth Amendment hampers government investigators in ways that private companies are not.
Never conduct investigations on an acutal system that was compromised. Take them offline and use backups.
Do not attempt to “hack back” and avenge a crime.
Call in expert assistance if needed.
Interviewing - gather information from an individual. If information is presented in court, the interview is an interrogation.
Attackers often try to santize log files after attacking, so to preserve evidence, logs should be centralized remotely.
A final report should be produced by any investigation that details the processes followed, evidence collected, and final results of investigation. Lays the foundation for escalation and legal action.

Major Categories of Computer Crime

Computer crime - violation of law that invovles a computer. Any individual who violates your security policies is an attacker.
Military and intelligence attacks - restricted ifnormation from law enforcement or military and research sources
Business attacks - focus on illegally obtaining confidential information. Aka corporate espionage or industrial espionage. Stealing trade secrets.
Financial attacks - carried out to unlawfully obtain money or services. Ex: shoplifting, burglary.
Terrorist attacks - to disrupt normal life and instill fear, as opposed to military or intelligence attack which is designed to extract secret information.
Grudge attacks - to do damage to an organization or person, usualy out of resentment or to “get back at” an organization. Insider threat is big, these attacks can come from disgruntled employees.
Thrill attacks - done for “the fun of it”, usually by “script kiddies”. May also be related to “hacktivism”.

Ethics

Rules that govern personal conduct
Codes of ethics are not laws, but standards for professional behavior

CISSP Study Notes Chapter 20 - Software Devlopment Security

2021-09-01T07:30:00-07:00

Chapter 20 talks about understanding the security in the software development lifecycle, identifying and applying security controls in development environments, assessing the effectiveness of software security, assessing security impact of acquired software, and applying secure coding guidelines and standards.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 20 - Software Devlopment Security

My key takeaways and crucial points

Software Development

Programming languages
- Binary code - what computers understand, a series of 1s and 0s called machine language.
- High level languages like Python, C++, Ruby, R, Java, Visual Basic allow programmers to write instructions that are better approximates for human communication.
- Compiled languages like C, Java, FORTRAN use a compiler to convert the higher level language into an executable that the computer understands.
- Interpreted languages like Python, R, JavaScript are not compiled and run in their original versions.
- Compiled code is generally less prone to third party manipulation, but it is easier to hide malicious code. Compiled code is neither more nor less secure than interpreted.
Object oriented programming
- Each object in the OOP model has methods that correspond to specific actions that can be taken on the object, and inherit methods from their parent class
- Provides a black-box approach to abstraction
- Message - a communication to or input of an object
- Method - internal code that defines the actions an object performs
- Behavior - result of an object processing a method
- Class - collection of common methods from a set of objects that defines behavior
- Instance - objects are instances of a class
- Inheritance - methods from a class are passed from a parent class to a child class
- Delegation - forwarding a request by an objec tto another object
- Polymorphism - the characteristic of an object that allows it to respond to different behaviors to the same message or method because of external condition changes
- Cohesion - strength of the relationship between purposes of methods within the same class
- Coupling - level of interaction between objects
Assurance - properly implementing security policy through lifecycle of the System (according to the Common Criteria in a government setting)
Avoiding and mitigating system failure
- Input validation - when a user provides a value to be used in a program, make sure it falls within the expected parameters otherwise processing is stopped. Limit checks are when you check that a value falls within an acceptable range. Should always occur on the server side of a transaction.
- Authentication and session management - require that users authenticate, and developers should seek to integrate apps with organizations existing authentication systems. Session tokens should exire, and cookies should only be transmitted over secure, encrypted channels.
- Error handling - Errors should not expose sensitive internal information to attackers.
- Logging - OWASP suggests logging these events: input validation failures, authentication attempts and failures, access control failures, tampering attempts, use of invalid or expired session tokens, exceptions raised by the OS or applications, administrative privilege usage, TLS failures, and cryptographic errors.
Fail secure - high level of security
Fail open - allows users to bypass failed security controls
Software should revert to a fail-secure. This is what a Windows Blue Screen of Death does.
Must balance security, functionality, user-friendliness.

Systems Development Lifecycle

Conceptual definition - creating the basic concept statement for a system. Not longer than one or two paragraphs, and is agreed on by all interested stakeholders.
Functional requirements determination - specific functionalities listed, devs start to think about how the parts of the system should interoperate. Think about input, behavior, output. Stakeholders must agree to this, too, and this document should be often referred to.
Control specifications development - continues above design and review phases. Consider access controls, how to maintain confidentiality, provide an audit trail and a detective mechanism for illegitimate activity.
Design review
Code review walk-through - developers start writing code, walk through it looking for problems.
User acceptance testing - actual users validate the system
Maintenance and change management - ensure continued operation while requirements and systems change

Lifecycle Models

Waterfall - Invented by Winston Royce in 1970. 7 stages, and each stage must be completed before the project moves to the next phase. Modern waterfall allows for moving backwards via “feedback loop”. The first comprehensive attempts to model the software development process.
Spiral - 1988 by Barry Boehm, allows for multiple iterations of a waterfall style process. System developers apply the whole waterfall process to the development of several prototypes, and return to the planning stages as demands and requirements change.
Agile - emphasis on needs of the customer, quickly developing new functionality. Highest priority is to satisfy the customer through early and continuous delivery, handle changing requirements, prefer short timescales, collaboration.
Gantt charts show interrelationships over time between projects and schedules. PERT is a project scheduling tool that relates estimated lowest possible size, most likely size, and highest possible size for each component.
Change and configuration management - changes should be centrally logged.
- Request control - users can request modifications, managers cna conduct cost/benefit analysis, and tasks can be prioritized
- Change control - developers try to recreate situation encountered by the user, implements an organized framework, and allows devs to test a solution before rolling it out
- Release control - changes are reviewed and approved, includes acceptance testing
- Configuration identification
- Configuration control
- Configuration status accounting
- Configuration audit
DevOps - seeks to unify software development, quality assurance, and technology operations, rather than allowing them to operate in separate silos. Aims to decrease time required to develop and deploy software changes - you might even deploy several times a day.
Application programming interfaces - APIs, allow websites to interact with each other by bypassing traditional webpages and interacting with the underlying service. May have authentication requirements.
Software testing
- Reasonableness check - Ensures the values returned by software match criteria, should be done via separation of duties
- White box testing - step trhough code line by line
- Black box testing - from a user’s perspective
- Gray box testing - combine white and black
- Static testing - without running the code
- Dynamic testing - done in a runtime environment
Code repositories are a central storage point for developers to collaborate on source code.

Establishing Databases and Data Warehousing

Hierarchical data model - logical tree structure, a one to many model
Distributed data model - data stored in several databases that are logically connected
Relational database - each table looks like a spreadsheet with row/column structure and a one to one mapping relationship
- Candidate keys - subset of attributes that can uniquely identify a record in the table
- Primary keys - selected from candidate keys to identify data. Only one primary key per table.
- Foreign keys - used to enforce relationships between two tables (referrential integrity), and ensure that if one table contains a foreign key, it corresponds to a primary key in another table
Database transactions - discrete sets of SQL instructions that will either succeed or fail as a group.
- Must be committed to the database and cannot be undone when it succeeds.
- ACID model
  - Atomicity - all or nothing
  - Consistency - consistent with all the database’s rules
  - Isolation - transactions operate separately
  - Durability - once committed, they are preserved
Security for multilevel databases
- These contain information with a variety of different classifications, and must verify labels assigned to owners and provide only the appropriate information
- Concurrency - edit control is a preventitive control that states information stored in the database is always correct. Locks allow one user to make changes but deny other users access at the same time.
- Lost updates - when different processes make updates and are unaware of each other
- Dirty reads - reading a record from a transaction that did not successfully commit
Open database connectivity - a proxy between applications and backend database drivers that give programmers greater freedom in creating solutions without having to worry about the underlying database
NoSQL - key/value stores that are good for high-speed applications, graph databases, and document stores.

Storing Data and Information

Storage types
- Primary/real memory - resources directly available to the CPU like RAM
- Secondary storage - inexpensive, nonvolatile storage like hard drives
- Virtual memory - simulate more primary memory via secondary storage
- Random access storage - request conteints from any point within the media (RAM and hard drives)
- Sequential access storage - needs to scan through the entire media, like a tape
- Volatile storage - loses contents when power is removed (RAM)
- Nonvolatile storage - does not depend on the presense of power
Covert storage channels allow transmission of sensitive data between classification levels through the direct or indirect manipulation of shared storage media.

Understanding Knowledge Based Systems

Expert systems - embody accumulated knowledge of experts. Have a knowledge base and an inference engine. Knowledge is codified in a series of “if/then” statements.
Inference engines examine information int he knowledge base to arrive at a decision.
Machine learning
- Supervised learning uses labeled data
- Unsupervised learning uses unlabeled data
Neural networks
- Chains of computational units used to attempt to imitate biolgical reasoning processes of the human mind
- Extension of machine learning
- Aka deep learning
- Delta rule - the ability to learn from experience

CISSP Study Notes Chapter 21 - Malicious Code and Application Attacks

2021-09-01T07:30:00-07:00

Chapter 21 covers the topics of assessing vulnerabilities of security designs and vulnerabilities in web based systems, as well as identifying security controls in development environments and applying secure coding guidelines.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 21 - Malicious Code and Application Attacks

My key takeaways and crucial points

Malicious Code

Script kiddie - malicious individual who doesn’t understand the technology behind vulnerabilities, but downloads and launches ready to use tools. Often located in countries with weak law enforcement, use malware to steal money and identities.
Advanced persistent threat - APT, sophisticated adversaries with advanced technical skills and financial resources. Often military units or intelligence agencies, and have access to zero day exploits.
Virus - two main functions, propagation and destruction
- Propagation techniques
  - Master boot record - attack bootable media
  - File infector - ending in .exe or .com, alter code of executables
  - Macro - leverage scripting functionality of other software
  - Service injection - inject into trusted runtimes like explorer.exe
Antivirus mechanisms
- Signature based detection - database of characteristics that indentify viruses
- Eradicate virues
- Quarantine - isolate but not remove
- Require frequent updates
- Heuristic - examines the behavior of software to look for bad behavior
Multipartite virus - uses more than one propagation technique
Stealth virus - tampers witht he OS to fool antivirus into thinking everything is fine
Polymorphic virus - modifies their own code from system to system
Encrypted virus - similar to polymorphic
Hoax - nuisance and wasted resources
Logic bomb - lies dormant until triggered by one or more met conditions like time, a program launch, etc.
Trojan horse - software that appears benevolent but carries a malicious payload
Ransomware - encrypts files and demands payment in exchange for the decryption key
Worms - propagates themselves without requiring human intervention
Code red worm - summer of 2001, attached unpatched Microsoft IIS servers
Stuxnet - mid 2010, attached unprotected administrative shares and used zero day vulnerabilities to specifically attach systems used in the production of material for nuclear weapons
Spyware - monitors your actions
Adware - shows you advertisements
Zero day attack - the necessary delay between discovery of a new type of malicious code and the isuance of patches creates a window for zero day attacks

Password Attacks

Passowrd guessing - attackers simply attempt to guess the user’s password
Dictionary attacks - tools like John the Ripper take a list of possible passowrds and run an encryption function against them to see which one matches an encrypted password
Rainbow table - pre-calculated list of known plaintext and its encrypted value, used to decrease time taken to do dictionary attacks
Social engineering
- Tricking a user into sharing sensitive information like their password
- Spear phishing - specifically targetted at an individual
- Whaling - subset of spear phishing sent to high value targets
- Vishing - phishing over voice communications
- Dumpster diving - attackers go through trash to look for sensitive informati9on
Users should choose strong passwords and keep them a secret

Application Attacks

Buffer overflows - devs don’t properly validate user input, and input that is too large can overflow a data structure to affect other data stored in memory.
Time of check/time of use - timing vulnerability where a program checks access permissions to far in advance of a resource request
Back door - undocumented sequences that allow individuals to bypass normal access restrictions

Web Application Security

Cross site scripting - XSS, when web apps contain some kind of reflected input. User input is embedded in the site and can be used to perform malicious activities.
Cross site request forgery - XSRF/CSRF, similar to cross site scripting, but exploit a trust relationship. Exploit the trust a remote site has in a user’s system to execute commands on the user’s behalf, often when users are logged into multiple websites at the same time in one browser window.
SQL injection - poorly santitized input contains SQL commands which are executed. Combat by using prepared statements, validating user input, and limiting account privileges.

Reconnaissance Attacks

Reconnaissance - Attackers find weak points in targets to attack.
IP probes - automated tools that attempt to ping addresses in a range.
Port scans - probe all the active systems on a network and determine what services are running on each machine.
Vulnerability scans - discovery specific vulnerabilities in a system.

Masquerading Attacks

Impersonation of someone who does not have the appropriate access permissions.
IP spoofing - an attacker reconfigures their system to make it look like they haev an IP address of a trusted system.
Session hijacking - an attacker intercepts part of the commmunication between an authorized user and a resource, and then uses a hijacking technique to take it over and assume the identity of the authorized user.

CISSP Study Notes Chapter 17 - Preventing and Responding to Incidents

2020-12-02T07:30:00-08:00

Chapter 17 goes over conducting logging and monitoring activities, conducting incident management, and operating and maintaining detective and preventative measures.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 17 - Preventing and Responding to Incidents

My key takeaways and crucial points

Managing Incident Response

Defining an incident
- Any event that has a negative effect ont he confidentiality, integrity or availability of an organization’s assets
- ITIL says it’s any unplanned interruption
- A computer secuirty incident is a result of an attack, or the result of malicious or itentional actions on the part of users
- NIST 800-61
Incident response steps
- Incident response is an ongoing activity
- Does not include a counterattack
  - Usually illegal, often results in escalation
Detection
- Must be able to quickly identify false alarms and user errors
Response
- Computer incident response team (CIRT)
- Activate the team during a major security incident, but not for minor incidents
- Computers should not be turned off when containing an incident
  - Important for forensics
Mitigation
- Contain an incident
- Limit the effect or scope of an incident
- Address it without worrying about it spreading
Reporting
- Within the org and to groups outside the org
- Beware of legal requirementse
- If a data breach exposes PII, the organization must report it
- Consider reporting the incident to official agencies, they might be able to help
Recovery
- Recover the syustem or return it to a fully functioning state
- Restoring data
- Ensure it is configured properly and is at least as secure as it was before the incident
- Configuration management and chanage management programs are important here
Remediation
- Attempt to identify what allowed it to occur, implement methods to prevent it from happening again
- Root cause analysis
Lessons learned
- Examine the incident and the response to see if there are any lessons to be learned
- Improve the response
- Output of this stage can be fed back to the detection stage
- Create a report

Implementing Detective and Preventive Measures

Basic preventive measures
- Keep systems and applications up to date
- Remove or disable unneeded services and protocols
- Use intrusion detection and prevention syustems
- Use up to date anti-malware software
- Use firewalls
- Implement configuraiton and system management processes

Understanding Attacks

Botnets
- Bot herder
  - A criminal who controls computers in the botnet via one or more command and control servers
- Defense in depth
- Educating users
Denial of service attacks
- DoS attacks
- Prevent a system from processing or responding to legitimate traffic or requests for resources and objects
- Distributed denial of service attacks occur when multiple systems attack a single system at the same time
- Distributed reflective denial of service attack doesn’t attack the victim directly but manipulates traffic or a service so the attacks are reflected back to the victim from other sources
SYN flood attack
- Disrupts the standard 3 way handshake used by TCP
- Consume available memory and processing power
- SYN cookies can block this attack
- Reduce the amoun tof time a server will wait for an ACK
Smurf attacks
- Another type of flood attack, but floods with ICMP echo packets instead of TCP SYN
Fraggle attacks
- Similar to smurf, but instead of ICMP, useds UDP packets over ports 7 and 19
Ping flood
- Floods a victim with ping requests
Ping of death
- Oversized ping packet
- Buffer overflow error
Teardrop
- Attacker fragments traffic in a way that a system is unable to put it back together
Land attacks
- Attacker sends spoofed SYN packets to a victim using the victim’s IP address as botht he soure and destination IP
Zero day exploit
- Vulnerabilities that are unknown to others
- The attacker is the only one aware of the vulnerability, before the vendor makes a patch
- The gap between when the vendor releases the patch and when administrators apply it is a dangerous zone
- Honeypots and padded cells
Malicious code
- Any script or program that performs an unwanted, unauthorized or unknown activity on a computer system
- Drive by downloads
  - Code is installed on a user’s system without the user’s knowledge
Man in the middle attacks
- MITM
- Malicious users gain a position logically between the two endpoints
- Copying or sniffing the traffic between parties
- A store and forward or proxy mechanism
- Intrusion detection systems cannot usually detect MITM or hijack attacks
- VPNs
Sabatoge
- A criminal act of destruciton or disruption committed against an organization by an employee
- Employee terminations should be handled swiftly
  - Account access should be disabled ASAP
Espionage
- The malicious act of gathering classified information about an organization
- Disclosing or selling ifnormation to a competitor
- Mole/plant - an employee with a secret allegience to another organization whose goal is to steal information
- Screen and track employees effectively

Intrusion Detection and Prevention Systems

Intrusion
- Attacker can bypass security mechanisms
Intrusion detection
- Monitors recorded information
Intrusion prevention system
- IPS
- Can take steps to stop/prevent intrusions
- NIST 800-96
Knowledge/Behavior-based detection
- Knowledge based
  - aka signature based
  - Database of known attacks
- Behavior based
  - aka statistical/anomaly, heuristics
  - Creates a baseline of normal activities and events on a system, detects abnormal activity
  - aka an Expert System
SIEM systems
- Security ifnromation and event management system
- Advanced analytic tools
- Passive response
  - Notifies administrators
- Active response
  - Can modify the environment
    - Modifies ACLs, addresses, disable communications over specific segments, etc.
Host and Network based IDSs
- Host based
  - Monitors a single computer
  - Can detect anomalies on the host that a network IDS cannot
  - Requires admin attention on each system
- Network based
  - Evaluates network activity
  - Can monitor a large network to collect data at key locations
  - Switches are often used as a preventive measure against rogue sniffers
  - Very little effect on network performance
  - Usually able to detect initation of attack, not always about the success of an attack
Intrusion prevention systems
- Placed in line with traffic
- Active IDS that is not placed in line can check the activity only after it has reached the target

Specific Preventive Measures

Honeypot
- Individual computers created as a trap for intruders
- Honeynet, a network of honeypots
- Do not host any data of real value
- Opportunity to observe an attacker’s activity
- Enticement vs entrapment
  - Intruder must discover it through no outward effort of the honeypot owner
- Psuedo flaws
  - False vulnerabilities
- Padded cells
  - Look and feel like an actual network but attackers are unable to perform any malicious activities
  - Offer fake data
Warning banners
- Inform users and iuntruders about security policy guidelines
- Legally bind uesrs
- No tresassing signs
Anti-malware
- Signature files and heuristic capabilities must be kept up to date
- Firewalls with content-filtering capabilities
- Install only one anti-malware applicatoin on any system
- Least privilege helps
- Educating users
Whitelisting and blacklisting
- Should be called allowlisting and denylisting, but these are the terms CISSP uses
- Whitelisting identifies a list of applicaitons that are authorized to run
- Blacklisting is a list of applications that are blocked
Firewalls
- Filtering traffic based on IP address, port, protocols
- Second generation firewalls add additional filtering capabilities based on application requirements
- Next generation firewalls function as a unified threat management device and have even more filtering, like packet filtering and stateful inspection, as well as packet inspeciton
Sandboxing
- Prevents the application from interacting with other applciations
- Virtualization techniques
Third party security services
- SaaS
  - Software as a service
Penetration testing
- Mimics an actual attack to attempt to identify which techniques attackers cna use to circumvent security
- NIST 800-115
- Include a vulnerability scan/assessment
- Attempt to exploit weaknesses
- Determine how well a system can tolerate attack
- Identify employees’ ability to detect and respond to attacks in real time
- Identify additional controls that can be implemented to reduce risk
- Pentesting risks
  - Some methods can cause outages
  - Should stop before doing actual damage
  - Should try to perform pentesting in a test system
- Must always have permission in writing with the risks spelled out
- Black box testing
  - Zero knowledge
- White box testing
  - Full knowledge
- Gray box testing
  - Partial knowledge
- Social engineering techniques are often used
- Must protect pentesting reports because they describe attacks against the system
- Reports must make a recommendation
- AKA ethical hacking

Logging, Monitoring, and Auditing

Logging
- Recording information about events to a file or database
Log types
- Security logs - access to resources
- System logs - system events
- Application logs - specific applications
- Firewall logs
- Proxy logs - include details such as what sites specific users visit and how much time they spend on those sites
- Change logs
  - Part of a disaster recovery program
Protecting log data
- Use logs to recreate events leading up to and during an incident only if the logs haven’t been modified
- Store copies on a central system like a SIEM
- FIPS 200
Audit trails
- Records created when information about events is stored in one or more databases or log files
- Passive form of detective security control
- Also serve as a deterrent
- Essential as evidence in the prosecution of criminals
Monitoring and accountability
- Users claim an identity and must prove their identity by authenticating
- Audit trails record their activity
- Users who are aware that lgos are recording are less likely to try to circumvent security controls or perform unauthorized activities
Monitoring
- The process of reviewing logs looking for something specific
- Continuous process
- Log analysis
  - Detailed form of monitoring, logs are analyzed for trends and patterns
- Many orgs use a centralized application for monitoring
- SIEMs may include a correlation engine to help combine multiple log sources into meaningful data
Sampling
- Extracting elements from a large collection to construct a meaningful representation of the whole
Clipping levels
- Predefine dthreshold for the event, ignoring events until they reach the level
Keystroke monitoring
- Act of recording keystrokes a user performs on a keyboard
- Often compared to wiretapping
Traffic and trend analysis
- Examine the flow of packets rather than the contents
Egress monitoring
- Watching outgoing traffic to prevent data exfiltration
Data loss prevention
- Detect and block data exfiltration attempts
- Network based scan all outgoing data
- Endpoint based scan files stored on a system
- Deep level examinations of data in files
Steganography
- The practice of embedding a message within a file
Watermarking
- The practice of embedding an image or pattern in paper that isn’t readily perceivable, often to thwart counterfeiting attempts

Auditing to Assess Effectiveness

Auditing
- A methodical examination of an environment
- Use audit logs and monitoring tools to track activity
- Auditing - Inspection or evaluation
Auditors
- Test and verify that processes and procedures are in place to implement security policies or regulations
Inspection audits
- Clearly define and adhere to the frequence of audit reviews
Access review audits
- Ensure that object access and account management practices suppor the current security policy
- Ensure that accounts are disabled and deleted in accordance with best practices and security policies
- Typical termination process:
  - At least one witness is present during exit interview
  - Account access terminated during interview
  - Employee ID badges and physical credentials are collected
  - Employee escorted off premises immediately
User entitlement audits
- Refers to the prvileges gratned to users
- Enforce least privilege principle
Audits of privileged groups
- High level adminstrator groups
- Dual administrator accounts
  - Separation of privileges (normal account and a privileged account)
Security audits and reviews
- Patch management - patches are evaluated ASAP, properly deployed through a testing process
- Vulnerability management - compliance with established guidelines, scans and assessments
- Configuration management - Use tools to check specific configurations of systems and identify when a change has occured
- Change management - Changes are implemented in accordance to change management policy
Reporting audit results
- Report needs purpose, scope and results
Protecting audit results
- Contain sensitive information, need a classification label
- Sometimes create a seaprate audit report with limited data for separate distribution
- When distributing, get signed confirmation
External auditors
- Some laws require this
- Provide a level of objectivity that interal audits can’t
- Interim reports - written or verbal given to the org about observerations that demand immediate attention

CISSP Study Notes Chapter 16 - Managing Security Operations

2020-10-14T07:30:00-07:00

Chapter 16 goes over securely provisioning resources, understanding and applying foundational security operations concepts, applying resource protection techniques, implementing and supporting patch and vulnerability management, understanding and participating in change management, and addressing personnel safety and security concerns.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 16: Managing Security Operations

My key takeaways and crucial points

Applying Security Operations Concepts

Due care and due diligence refers to taking reasonable care to protect the assets of an organization on an ongoing basis
Need to know
- Focuses on permissions and the ability to access information
- Rights
  - Refers to the ability to take actions
- Grant users access only to data or resources they need to perform assigned work tasks
Least privilege
- Granted only the privileges necessary to perform assigned work tasks and no more
- Entitlement
  - The amount of privileges granted to users
- Aggregation
  - The amount of privileges that users collect over time
- Transitive trust
  - A trust relationship between two security domains
Separation of privilege
- No single person has total control
- Collusion
  - An agreement by two or more persons to perform some unauthorized activities
- Helps reduce fraud
- Builds on least privilege
- Segregation of duties is specifically required by SOX
Two person control
- Operations that require two keys
- Ensures peer review, reduces likelihood of fraud
- Split knowledge is where information or privilege is divided among multiple users
Job rotation
- Encourages peer review, reduces fraud, enables cross training
- Acts as both a deterrent and a detection mechanism
Mandatory vacations
- Peer review, helps detect fraud and collusion
- Acts as a deterrent and a detection mechanism

Privileged Account Management

Special privilege operations
- Activities that require special access or elevated rights and permissions to perform
- Sensitive job tasks
Monitoring usage of special privileges, so organizations can deter employees from misusing privileges and detect actions
Perform access review audits

Managing the Information Lifecycle

Creation/capture
- Data is created by users, downloading files, etc.
Classification
- Should be done asap
- Ensure that sensitive data is identified and handled appropriately based on its classification
- Once data is classified, it can be marked and handled correctly
  - Easily recognize data’s value
Storage
- Periodically back up
- Encrypted
- Physical security
Usage
- Any time data is in use or in transit over a network
- Used in an unencrypted format
Archive
- Comply with laws/regulations regarding data retention
- Ensure data is available
Destruction/purging
- NIST 800-88r1

Service Level Agreements

Defines performance expectations and penalties
Sometimes have memorandums of understanding
- and/or an interconnection security agreement
- Two entities work together toward a common goal
Can specify technical requirements

Addressing Personnel Safety and Security

Always possible to replace equipment and data, can’t replace people
Human safety is ALWAYS top priority
Duress
- A simple duress system is just a panic button that sends a distress call
- More common when working alone
- Code words or phrases
Travel
- Verify a person’s identity before opening a hotel door
- Sensitive data is ideally not brought on the road, but if it is it needs to be encrypted
- Malware/monitoring devices
  - Maintain physical control of all devices
  - Do not bring personal devices
- Free WiFi
  - Vulnerable to man in the middle attacks
Emergency management
- Natural or man-made disasters
- Locate sensitive physical assets toward the center of the building

Managing Virtual Assets

Reduction in overall operating costs when going virtual
Hypervisor
- Essential virtualization software

Managing Cloud Based Assets

SaaS
- Software as a service
- Fully functional applications accessed via web browser, usually
PaaS
- Platform as a service
- Computing platform, including hardware, an OS, and applications
IaaS
- Infrastructure as a service
- Basic computing resources
NIST 800-145
Public cloud
- Available for any consumers
Private cloud
- Single organization
Community cloud
- Two or more organizations
Hybrid cloud
- Combination of two or more clouds

Media Management

Includes any hard copy of data
When media is marked, handled and stored properly, it helps prevent unauthorized disclosure (loss of confidentiality), unauthorized modifications (loss of integrity), and unauthorized destruction (loss of availability)
Tape media
- Keep at least two copies of backups
- At least one offsite
Mobile devices
- MDM system monitors and manages devices, ensures they are up to date
- Encryption protects data if phone is lost or stolen
Managing media lifecycle
- Once backup media has reached it’s MTTF, it should be destroyed
- Degaussing does not remove data from an SSD

Managing Configuration

Baselining
- Baselines are starting points
- When systems are deployed in a secure state with a secure baseline, they are more likely to stay secure
Using images for baselining
1. Create the image
2. Capture the image
3. Deploy the image
Ensure that desired security settings are always configured correctly

Managing Change

Change management
- Reducing unanticipated outages by unauthorized changes
- Primary goal is to ensure that changes do not cause outages
Unauthorized changes directly affect availability
Security impact analysis
1. Request the change, identify desired changes
2. Review the change
3. Approve/reject the change
4. Test the change
5. Schedule and implement the change when it will have the least impact
6. Document the change
Emergency changes can still occur, but the process still needs to document the changes
Versioning
- Labeling or numbering system that differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine
Configuration documents
- Who is responsible
- Purpose of the change
- List all changes to the baseline

Managing Patches and Reducing Vulnerabilities

Systems to manage
- Any computing device with an OS
- Network infrastructure systems
- Embedded systems
Patch management
- Patch
  - Any type of code written to correct a bug or vulnerability or improve the performance of existing software
- Evaluate patches
  - Determine if they apply to your systems
- Test patches
  - Test on an isolated nonproduction system
  - Determine unwanted side effects
- Approve the patches
  - Change management
- Deploy the patches
  - Automated methods
- Verify that patches are deployed
  - Regularly test and audit systems
Vulnerability management
- Identifying vulnerabilities, evaluating them, mitigating risks
- Vulnerability scans
  - Test systems and networks for known security issues
  - Nessus by Tenable Network Security
  - Generate reports
- Vulnerability assessments
  - Scan reports from past year to determine if the organization is addressing vulnerabilities
  - “Why hasn’t this been mitigated?”
  - Part of a risk analysis or assessment
- Common vulnerabilities and exposures
  - MITRE maintains the CVE database: cve.mitre.org
  - MITRE is not an acronym, funded by US government to maintain the database

CISSP Study Notes Chapter 15 - Security Assessment and Testing

2020-10-07T07:30:00-07:00

Chapter 15 is a hefty chapter which covers designing and validating assessment, test, and audit strategies, conducting security control testing, collecting security process data, and then analyzing test output, and conducting security audits.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 15: Security Assessment and Testing

My key takeaways and crucial points

Security Testing

Security tests
- Verify that a control is functioning properly
Frequent automated tests supplemented by infrequent manual tests are recommended
- Review the results of those tests to ensure that each test was successful

Security Assessments

Security assessment
- Comprehensive reviews of the security of a system applications, or other tested environment
Information security professional performs a risk assessment
Assessment report addressed to management

Security Audits

Security audit
- Use many of the same techniques for assessments, but must be performed by independent auditors
Assessments are internal use only
Audits are done for the purpose of demonstrating the effectiveness of controls to a third party
Internal audits
- Intended for internal audiences
External audits
- Performed by outside auditing firms
Third party audits
- Conducted by, or on behalf of, another organization
- Type I
  - Controls provided by audited organization as well as auditor opinion based on description
- Type II
  - Minimum six month period and also include an opinion from the auditor
  - Considered more reliable
Auditing standards
- COBIT
  - Describes common requirements orgs should have in place surrounding information systems
- ISO 27001
  - A standard approach for setting up an information security management protocol
  - ISO 27002 goes into more detail

Describing Vulnerabilities

Common vulnerabilities and exposures (CVEs)
- A naming system for vulnerabilities
Common vulnerability scoring system (CVSS)
- A scoring system for severity
Common platform enumeration (CPE)
- A naming system for configuration issues
Extensible configuration checklist description format (XCCDF)
- Language for security checklists
Open vulnerability and assessment language (OVAL)
- Language for security testing procedures

Vulnerability Scans

Vulnerability scans
- Automatically probe systems
Network discovery scans
- NMAP - a network scanning tool
- TCP SYN scanning
  - Single packets sent with the SYN flag set
- TCP connect scanning
  - Opens a full connection to the remote system
- TCP ACK scanning
  - Send a packet with ACK set, indicating it’s part of an open connection
  - Helps determine firewall rules
- Xmas scanning
  - FIN, PSH, URG flags are set on packets sent to systems
Port statuses
- Open - there is an application that is actively accepting connections
- Closed - The firewall is allowing access, but there is no application accepting connections
- Filtered - Unable to determine if a port is open or closed because of a firewall
Network vulnerability scanning
- Deeper than a discovery scan
- Tools contain databases of thousands of known vulnerabilities, and tests that can be performed to identify whether a system is susceptible to each vulnerability
- False positives and false negatives may occur
- By default, vulnerability scanners run unauthenticated scans
TCP ports

Service	Port
FTP	20-21
SSH	22
Telnet	23
SMTP	25
DNS	53
HTTP	80
POP3	110
NTP	123
Windows file sharing	135, 137-139 (NETBIOS, WINS), 445
HTTPS	443
LPR/LPD	515
Microsoft SQL Server	1433/1434
Oracle	1521
H.323	1720
PPTP	1723
RDP	3389
HP JetDirect Printing	9100

Nessus, Qualys, Rapid7’s NeXpose, OpenVAS are all vulnerability scanners
Aircrack is used to scan wireless networks
Web vulnerability scanning
- Structured Query Language (SQL) injection, leveraging poor input validation/sanitization
- Web vulnerability scanners scour web applications for known vulnerabilities
- Nessus does this, too, also Acunetix, Nikto, Wapiti, Burp Suite
- Scan all applications when you begin performing scanning for the first time
- Scan new applications when moving into production
- Scan before code changes go to production
- Scan on a recurring basis
Vulnerability management workflow
1. Detection - Identification of a vulnerability
2. Validation - Confirm the vulnerability is not a false positive
3. Remediation - Patch, change configurations, implement a workaround
Penetration testing
- Actually attempting to exploit systems, not just scan them
- Done by trained security professionals
- Process
  1. Planning - agree on scope, rules of engagement
  2. Information gathering and discovery - tools collect information, reconnaissance
  3. Vulnerability scanning - probes for system weaknesses
  4. Exploitation - use automated and manual exploitation tools to defeat system security
  5. Reporting - results of the penetration test, make recommendations
- Metaspoit is a common tool
- Types of penetration tests
  1. White box - attackers have detailed information about the target systems
  2. Gray box - attackers have partial knowledge about target systems
  3. Black box - attackers are not provided with any information
    - They should be done in this order

Testing Your Software

Applications often have privileged access
Apps often handle sensitive information
They often rely on databases
Code review
- AKA peer review
- Approval of an application’s move into production
- Fagan inspection
  1. Planning
  2. Overview
  3. Preparation
  4. Inspection
  5. Rework
  6. Follow up
Static testing
- Done without running it, but rather analyzing source code or compiled app
Dynamic testing
- Done in a runtime environment
- Testers often do not have access to underlying source code
- Synthetic transactions are scripted transactions with an application with known expected results
Fuzz testing
- Different types of input are given to software to test it’s limits and find previously undetected flaws
- Mutation “dumb” fuzzing
  - Takes previous input values and mutates them to create fuzzed input
- Generational “intelligent” fuzzing
  - Data models used to create new fuzzed input based on understanding of data types used by the system
- zuff - a tool that performs fuzzing
Interface testing
- Different parts of a complex app that must function together are tested
Misuse case testing
- Enumerate the known misuse cases
- How can software be abused?
Test coverage analysis
- Estimate the degree of testing conducted
  - Test coverage = number of use cases tested / total number of use cases
- Branch coverage
  - Has every if been executed under all if and else conditions?
- Conditional coverage
  - Has every logical test in the code been executed under all sets of inputs?
- Function coverage
  - Has every function in the code been called and returned results?
- Loop coverage
  - Has every loop in the code been executed under conditions that cause code execution multiple times, once, and not at all?
- Statement coverage
  - Has every line of code been executed during the test?
Website monitoring
- Passive monitoring
  - Analyze actual network traffic
  - Real user monitoring reassembles the activity of individual users
- Synthetic monitoring
  - AKA Active monitoring
  - Performing artificial transactions

Implementing Security Management Processes

Log reviews
- Logging systems should use Network Time Protocol (NTP) to ensure clock synchronization
- Periodically review logs
Account management
- Ensure users only retain authorized permissions and that unauthorized modifications do not occur
- Example process
  1. Provide a list of users with privileged access
  2. Ask the privilege approval authority to provide a list of authorized users
  3. Compare the two lists
- Lots of other checks, like terminated users
- Check paper trails
Backup verification
Key performance and risk indicators
- Monitor key performance and risk indicators
- Number of open vulnerabilities
- Time to resolve vulnerabilities
- Vulnerability/defect recurrence
- Number of compromised accounts
- Number of software flaws detected in pre-production scanning
- Repeat audit findings
- User attempts to visit known malicious sites
- Lots more, come up with your own depending on what’s important to your org

CISSP Study Notes Chapter 14 - Controlling and Monitoring Access

2020-10-06T07:30:00-07:00

Chapter 14 is about identity and access management (IAM), and discusses all kinds of different access control: role based, rule based, mandatory,discretionary, and attribute based.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 14: Controlling and Monitoring Access

My key takeaways and crucial points

Comparing Permissions, Rights, and Privileges

Permissions
- The access granted for an object and what you can do with it
Rights
- The ability to take an action on an object
Privileges
- The combination of rights and permissions

Understanding Authorization Mechanisms

Implicit deny
- Access to an object is denied unless it has been explicitly granted
Access control matrix
- A table that includes subjects, objects, and assigned privileges
Capability tables
- Like an ACL, but focused on subjects
Constrained interface
- Restricted interfaces that control what users can do or see based on their privileges
Content depended control
- Restrict access to data based on the content within an object
- Ex: A database view
- “What” data is being accessed
Context depended control
- Require specific activity before granting access
- Ex: Date and time bound access
- “How” you’re accessing data
Need to know
- Granted access only to what you need to know to perform your job
Least privilege
- Subjects are granted only the privileges they need to perform their work tasks and job functions
- Will also include rights to take action on a system
Separation of duties and responsibilities
- Sensitive functions are split into tasks performed by two or more employees

Defining Requirements with a Security Policy

Security policy
- A document that defines the security requirements for an organization
Senior leadership approves the security policy

Implementing Defense in Depth

Defense in depth
- Multiple layers or levels of access controls to provide layered security
Key components
- Security policy
- Personnel, training
- Combination of administrative, technical, and physical access controls

Summarizing Access Control Models

Discretionary access control
- Every object has an owner who can grant or deny access to any other subjects
Role based access control
- User accounts are placed in roles and administrators assign privileges to the roles
Rule based access control
- Global rules apply to all subjects
- AKA restrictions/filters
Attribute based access control
- Uses rules that can include multiple attributes
- More flexible than rule based access control
- Plain language statements
Mandatory access control
- Labels applied to both subjects and objects

Discretionary Access Control

Allows owner/creator/data custodia of an object to control and define access to the object
Using access control lists (ACLs)

Nondiscretionary Access Control

Administrators centrally administer access controls and can make changes that affect the entire environment

Role Based Access Control

AKA task-based access control
AKA RBAC
Privilege creep
- Users accrue privileges over time as their roles and access needs change
Administrators identify roles/groups by work function
Useful in dynamic environments with frequent personnel changes

Rule Based Access Control

Rules, restrictions, filters determine what can and cannot occur on a system
Global rules apply to all subjects
RBAC refers to ROLE based access control
Firewalls include a set of rules within an ACL
Implicit deny

Attribute Based Access Control

ABAC
Uses policies that include multiple attributes for rules
Can be any characteristic of users, network, devices

Mandatory Access Control

MAC
Uses classification labels
Security domain
- A collection of subjects and objects that share a common security policy
Often referred to as a lattice-based model
Compartmentalization enforces need to know principle
Hierarchical environment
- Ordered structure from low security to medium security to high security
- Classification labels
Compartmentalized environment
- No relationship between one security domain and another
Hybrid environment
- Combines both hierarchical and compartmentalized concepts

Understanding Access Control Attacks

Risk elements
- Threat
  - A potential occurrence that can result in an undesirable outcome
- Vulnerability
  - Any type of weakness
- Risk management
  - Attempting to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures
  - Process
    - Identify assets
      - Asset valuation - identifying the actual value of an asset so you may prioritize them
    - Identify threats
      - Threat modeling - identifying, understanding and categorizing potential threats
    - Identify vulnerabilities
Advanced persistent threats
- APTs
- Attackers who are working together, highly motivated, skilled, and patient
- Advanced knowledge
Threat modeling approaches
- Focused on assets
  - Identify threats to valuable assets
- Focused on attackers
  - Based on attackers goals
- Focused on software
  - Based on potential threats against software
Identifying vulnerabilities
- Identifying strengths and weaknesses of different access control mechanisms

Common Access Control Attacks

Access aggregation attacks
- Collecting multiple pieces of non-sensitive information and combining them to learn sensitive information
- Reconnaissance
Password attacks
- Passwords are the weakest form of authentication
- Dictionary attack
  - Attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords
- Brute force attack
  - Attempt to discover passwords for accounts by systematically attempting all possible combinations of letters, numbers and symbols
  - Hybrid attack attempts a dictionary attack and then a brute force
- Birthday attack
  - Focuses on finding collisions
  - The birthday paradox states that if there are 23 people in a room, there is a 50% chance that two of them will have the same birthday (month and day only, not year)
- Rainbow table attack
  - Rainbow tables are large databases of precomputed hashes
  - Salt passwords to reduce effectiveness of rainbow tables
    - Salt is random bits added to a password before hashing it, stored in the same database holding the hashed password
    - Pepper is a large constant number stored elsewhere
- Sniffer attacks
  - Capture packets sent over a network to analyze them
  - AKA snooping attack
  - Wireshark is a popular tool for this
  - Make sure you
    - Encrypt all sensitive data
    - Use one time passwords
    - Implement physical security
    - Monitor the network for signatures from sniffers
Spoofing attacks
- AKA masquerading
- Pretending to be something else
- Email spoofing
  - Spoofing the email address in the from field of an email
  - Phishing
- Phone number spoofing
  - Caller ID
  - VoIP
Social engineering attacks
- Gaining the trust of someone using deceit to get them to betray organizational security
- Shoulder surfing is also considered social engineering
  - Looking at someone’s screen while they access information
  - Use screen filters
- Phishing
  - Getting users to open an attachment, click a link, or reply with personal information
  - Drive by downloads
    - Malware that installs itself without the user’s knowledge when the user visits a website
  - Spear phishing
    - Phishing where specific users or groups are targeted
  - Whaling
    - Senior or high level executives are targeted
  - Vishing
    - Phishing with a phone system or VoIP
Smartcard attacks
- Side channel attack
  - Passive, non-invasive attack that observes how the device functions

Summary of Protection Methods

Control physical access to systems
- If attackers can gain physical access to a server, they can steal it and do anything to it
Control electronic access to files
Create a strong password policy
Hash and salt passwords
Use password masking, never display cleartext passwords
Deploy multifactor authentication
Use account lockout controls
- Lock an account after the incorrect password is entered a predefined number of times
- Implement extensive logging
Use last logon notification
- Display information about the last time an account was successfully logged into
Educate users about security

CISSP Study Notes Chapter 13 - Managing Identity and Authentication

2020-10-05T07:30:00-07:00

Chapter 13 is an important chapter that gets into controlling physical and logical access to assets, managing identification and authentication of people, devices and services, integrating identity as a third-party service, and managing the identity and access provisioning lifecycle.

Last summer I spent about a month studying for and getting my Certified Information Systems Security Professional (CISSP) certification from ISC2. I went about studying for the test a few ways:

I used the PocketPrep app
I attended a study bootcamp
I did a bunch of practice tests

And finally…

I got the ISC2 CISSP official study guide - I read it cover to cover, and highlighted and annotated the entire thing.

Previous Chapters

Chapter 13: Managing Identity and Authentication

My key takeaways and crucial points

Comparing Subjects and Objects

Subjects are active entities that access a passive object
Objects are passive entities that provide information to active subjects

The CIA Triad and Access Controls

Confidentiality
- When unauthorized entities can access systems or data, it results in a loss of confidentiality
Integrity
- Unauthorized changes
Availability
- Data should be available to users and other subjects when they are needed

Types of Access Control

Access control includes the following overall steps
1. Identify and authenticate users or other subjects attempting to access resources
2. Determine whether the access is authorized
3. Grant or restrict access based on the subject’s identity
4. Monitor and record access attempts
Preventive access control
- Attempts to thwart or stop unwanted or unauthorized activity from occurring
Detective access control
- Attempts to discover or detect unwanted or unauthorized activity
Corrective access control
- Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
Deterrent access control
- Discourages security policy violations
Recovery access control
- Repair or restore resources, functions, and capabilities after a security policy violation
Directive access control
- Direct, confine, or control the actions of subjects to force or encourage compliance with security policies
Compensating access control
- Provides an alternative when it isn’t possible to use a primary control
- Increase the effectiveness of a primary control
Administrative access control
- Policies and procedures
Logical/technical controls
- Hardware or software mechanisms
Physical controls
- Items you can physically touch

Comparing Identification and Authentication

Identification
- The process of a subject claiming, or professing, an identity
Authentication
- Verifying the identity of the subject by comparing one or more factors against a database of valid identities
Registration
- When a user is first given an identity
Authorization
- Access to objects based on proven identities
- Indicates who is trusted to perform specific operations
Accountability
- Auditing is implemented
- The process of tracking and recording subject activities within logs
- Relies on effective identification and authentication, but does not require effective authorization

Authentication Factors

Type 1
- Something you know
- Ex: password, PIN
Type 2
- Something you have
- Ex: token, phone, smartcard
Type 3
- Something you are
- Ex: Fingerprint, retina scan
Context-aware authentication
- Based on location, time of day, mobile device
- May implement a geo-fence so resources are only available on some devices if the device is in a specific place
- Detecting impossible travel
Passwords
- Type 1
- A static password stays the same for a length of time
- Weakest form of authentication
- Creating strong passwords
  - Max age
  - Complexity
  - Length
  - History
- Passphrases are more effective
  - Longer strings of characters made up of multiple words
- NIST 800-63B suggests comparing a user’s password against a list of commonly known simple passwords and rejecting the commonly known passwords
Cognitive passwords
- Challenge questions
- Ex: What is your birth date? What is the name of your first pet?
- Answers are commonly available on the internet
Smartcards
- Type 2
- Certificates are used for asymmetric crypto like encrypting data or signing email
Tokens
- Type 2
- Password-generating devices
- Synchronous dynamic passwords
  - Time based, synchronized with an authentication server
- Asynchronous dynamic passwords
  - Does not use a clock
  - Based on an algorithm and an incrementing counter
Biometrics
- Type 3
- Using a biometric factor instead of a username requires a one-to-many search
  - Capturing a single image of a person and searching a database of many people looking for a match
- Using a biometric factor as an authentication technique requires a one-to-one match
  - The user claims an identity and the biometric factor is checked to see if the person matches the claimed identity
- Retina scans
  - Pattern of blood vessels at the back of the eye
  - Most accurate
- Iris scan
  - Second-most accurate
- Palm scans
  - Measure vein patterns in the palm
- Hand geometry
  - Physical dimensions of the hand
- Signature dynamics
  - Writes a string of characters
- Keystroke patterns
  - How the subject uses a keyboard
Biometric Factor Error Ratings
- False rejection rates
  - Type I error
- False acceptance rates
  - Type II error
- Crossover error rate (CER)
  - Where false rejection and false acceptance percentages are equal
  - Related to sensitivity of scan/detection
Biometric registration
- Enrollment
- A subject’s biometric factor is sampled and stored in a database
- Known as a reference template/profile

Multifactor Authentication

Must use multiple types/factors such as “something you know” and “something you have”
Ex: Typing in a password (something you know), and then entering a synchronous dynamic password from a token (something you have)

Device Authentication

Users can register their devices
SecureAuth Identity provider (IdP)
802.1x

Implementing Identity Management

Single sign on
- Centralized access control
- Allows a subject to be authenticated once on a system and to have access to multiple resources without authenticating again
LDAP and centralized access control
- Directory service
LDAP and PKIs
- LDAP and centralized access control systems can be used to support single sign on capabilities
Kerberos
- Key distribution center
  - KDC
  - Trusted third party that provides authentication services
- Kerberos authentication server
  - Authentication service verifies or rejects the authenticity and timeliness of tickets
  - KDC
- Ticket granting ticket
  - TGT
  - Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects
- Ticket
  - Encrypted message that provides proof that a subject is authorized to access an object
  - Sometimes called a Service Ticket (ST)
- Know these processes
- The Kerberos login process
  1. User types a username and password into a client
  2. The client encrypts the username with AES for transmission to the KDC
  3. The KDC verifies the username against a database of known credentials
  4. The KDC generates a symmetric key that will be used by the client and the Kerberos server, encrypts it with a hash of the user’s password, and generates a time-stamped TGT
  5. The KDC transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client
  6. The client installs the TGT for use until it expires and decrypts the symmetric key using a has of the user’s password
- The Kerberos ticket request steps
  1. The client sends its TGT back to the KDC with a request for access to the resource
  2. The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource
  3. The KDC generates a service ticket and sends it to the client
  4. The client sends the ticket to the server or service hosting the resource
  5. The server or service hosting the resource verifies the validity of the ticket with the KDC
  6. Once identity and authorization is verified, Kerberos activity is complete, and a session is opened

Federated Identity Management and SSO

Single sign on
- AKA SSO
Security Assertion Markup Language
- SAML
- An XML-based language that is commonly used to exchange authentication and authorization (AA) information between federated organizations
OAuth 2.0
- Open standard used for access delegation
Scripted access
- Automated process to transmit logon credentials at the start of a logon session
Credential management system
- Storage space for suers to keep their credentials when SSO isn’t available
Integrating identity services
- IDaaS
  - Identity as a service
  - A third party service that provides identity and access management
AAA Protocols
- Identification
- Authentication
- Authorization
- Accountability
RADIUS
- Remote authentication dial in service
- Centralizes authentication for remote connections
TACACS+
- Terminal access control access control system
- An alternative to RADIUS
- + includes moving AAA services into separate processes, encrypting authentication information
- RADIUS only encrypts password
Diameter
- An enhanced version of RADIUS

Managing the Identity and Access Provisioning Lifecycle

Refers to the creation, management, and deletion of accounts
Provisioning
- Creation of new accounts and provisioning them with appropriate privileges
- Initial creation is called enrollment or registration
- Should include a background check
- Many organizations use automated provisioning systems
Account review
- Periodically ensure that security policies are being enforced
- Check for inactive accounts
- Excessive privilege
  - When users have more privileges than their assigned work tasks dictate
- Creeping privileges
  - A user account accumulating privileges over time as job roles and assigned tasks change
- Excessive and creeping privileges violate the principle of least privilege
Account revocation
- Disable user accounts as soon as possible when employees leave the organization
- HR personnel should have the ability to perform this task