cissp – Dan Vasile

CISSP CBK 10 – Physical Security

Physical Security Controls

Types of controls:

– Administrative controls
– Facility selection or construction
– Facility management
– Personnel controls
– Training
– Emergency response and procedures

– Technical controls
– Access controls
– Intrusion detection
– Alarms
– Monitoring (CCTV)
– Heating, ventilation and air conditioning (HVAC)
– Power supply
– Fire detection and suppression
– Backups

– Physical controls
– Fencing
– Locks
– Lighting
– Facility construction materials

CISSP CBK 9 – Law, Investigations & Ethics

Ethics

ISC2: Code of Ethics Canons –

– Protect society, the commonwealth and the infrastructure

– Act honorably, honestly, justly, responsibly and legally

– Provide diligent and competent service to principals.

– Advance and protect the profession.

IAB – Internet Activites Board: Unethical and unacceptable behaviour –

– Purposely seeking to gain unauthorized access to Internet resources

– Disrupting the intended use of the Internet.

– Wasting resources through purposeful actions

– Destroying the integrity of computer-based information.

– Compromising the privacy of others.

– Involving negligence in the conduct of Internet-wide experiments

CISSP CBK 8 – Business Continuity Planning & Disaster Recovery Planning

BCP / Business Continuity Planning

Prime elements:
– Scope and Plan Initiation
– Business Impact Assessment
– Business Continuity Plan Development
– Plan Approval and Implementation

Scope and Plan Initiation: Marks the beginning of the BCP process It entails creating the scope for the plan.

Roles and Responsibilities

The BCP Commitee: Should be formed and given the responsibility to create, implement and test the plan. Is made up of representatives from senior management, all functional business units, information systems and security administrator.

Senior Management’s Role: Is ultimate responsible for all four phases of the plan.

BIA / Business Impact Assessment: Is a process used to help business units understand the impact of a disruptive event. The impact may be financial (quantitative) or operational (qualitative, such as the inability to respond to customer). A vulnerability assessment is often a part of the BIA process. It identifies the company’s critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption.

CISSP CBK 7 – Operations Security

Controls and Protections

To protect hardware, software and media resources from:
– Threats in an operating environment
– Internal or external intruders
– Operators who are inappropriately accessing resources

Categories of Controls:
– Preventative Controls: Are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system.
– Detective Controls: Are used to detect an error once it has occurred.
– Corrective Controls / Recovery Controls: Are implemented to mitigate the impact of a loss event through data recovery procedures.
– Deterrent Controls / Directive Controls: Are used to encourage compliance with external controls.
– Application Controls: Are the controls that are designed into a software application to minimize and detect the software’s operational irregularities.
– Transaction Controls: Are used to provide control over the various stages of a transaction. Types of controls are: Input, processing, output, change and test controls.

CISSP CBK 6 – Security Architecture & Models

Security Model

Is a statement that outlined the requirements necessary to properly support a certain security policy.

Computer Architecture

CPU – Central Processing Unit: Is a microprocessor. Contains a control unit, an ALU / Arithmetic Logic Unit and primary storage. Instructions and data are held in the primary storage unit needed by the CPU. The primary storage is a temporary memory area to hold instructions that are to be interpreted by the CPU and used for data processing.

Buffer overflow – Data being processed is entered into the CPU in blocks at a time. If the software instructions do not properly set the boundaries for how much data can come in as a block, extra data can slip in and be executed.

Real storage – As instructions and data are processed, they are moved back to the system’s memory space / real storage.

CISSP CBK 5 – Cryptography

Definitions

Algorithm: The set of mathematical rules used in encryption and decryption.

Cryptography: Science of secret writing that enables you to store and transmit data in a form that is available only to the intended individuals.

Cryptosystem: Hardware or software implementation of cryptography that transforms a message to cipher text and back to plain-text.

Cryptanalysis: Practice of obtaining plain-text from cipher-text without a key or breaking the encryption.

Cryptology: The study of both cryptography and cryptanalysis.

Cipher-text: Data in encrypted or unreadable format.

Encipher: Act of transforming data into an unreadable format.

Decipher: Act of transforming data into a readable format.

Key: Secret sequence of bits and instructions that governs the act of encryption and decryption.

Key clustering: Instance when two different keys generate the same cipher-text from the same plain-text.

Key-space: Possible values used to construct keys.

Plain-text: Data in readable format, also referred to as clear-text.

Work factor: Estimated time, effort, and resources necessary to break a cryptosystem.

CISSP CBK 4 – Applications & Systems Development Security

Database systems and database management

Types of databases:
– Hierarchical
– Mesh
– Object-oriented
– Relational

DBMS / Database Management System

A suite of programs used to manage large sets of structured data with ad hoc query capabilities for many types of users.

Database: A collection of data stored in a meaningful way that enables multiple users and applications to access, view and modify data as needed.

Database terms/jargon
– Record: Collecion of related data items
– File: Collection of record of the same type
– Database: Cross-referenced collection of files
– DBMS: Manages and controls the database
– Base relation: A table stored in a database
– Tuple: A row in a database
– Attribute: A column in a database
– Primary key: Columns that make each row unique
– View: Virtual relation defined by the database to control subjects from viewing certain data
– Foreign key: Attribute of one table that is the primary key of another table
– Cell: Intersection of a row and column
– Schema: Holds data that describes a database
– Data dictionary: Central repository of data element and their relationships.
– Cardinality: The number of rows in the relation.
– Degree: The number of columns in the relation.
– Domain: Is a set of allowable values that an attribute can take.

CISSP CBK 3 – Security Management Practices

Fundamental Principles of Security

Security objectives

Confidentiality: Provides the ability to ensure that the necessary level of secrecy is enforced.

Integrity: Is upheld when the assurance of accuracy and reliability of information and system is provided and unauthorized modification of data is prevented.

Availability: Prevents disruption of service of productivity.

Definitions

Vulnerability: Is a software, hardware or procedural weakness that may provide the attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.

CISSP CBK 2 – Telecommunications & Network Security

Open System Interconnect Model

Protocol – Standard set of rules that determine how systems will communicate across networks.

OSI Model TCP/IP
Application            Application
Presentation
Session
Transport             Host-to-host
Network               Internet
Data Link             Network Access
Physical

Each layer adds its own information to the data packet.

CISSP CBK 1 – Access Control Systems & Methodology

Security principles

Confidentiality: The assurance that information is not disclosed to unauthorized individuals, programs or processes.

Integrity: Information must be accurate, complete and protected from unauthorized modification.

Availability: Information, systems and resources need to be available to users in a timely manner so productivity will not be affected.

Personal note: Conformity with legislation

Continue reading CISSP CBK 1 – Access Control Systems & Methodology

CISSP Intro

This starts a series of posts that deals with CISSP CBK (Common Body Knowledge). The summary covers all the ten CBK that are required for the CISSP Exam. One should not use this as a definitive guide in taking the CISSP exam, but rather as an intro to CISSP. All the data is gathered from various sources, starting from study guides for the exam and ending with materials found on the Internet.

As a side notice, there are questions about CISSP vs CISA. The focus of those two certifications is different. While CISSP is focused on building and maintain security (although is not a technical standard), CISA is more focused on auditing and assessing risks and controls. Your choice of certification should be based on what you really want to work with. If you want to be a security professional, CISSP is the choice. If you want to be an IT/IS auditor instead, then you should take CISA. As I’ve been an IT/IS auditor and now is an IS consultant. There is a lot of knowledge supported by both CISA and CISSP.