Comprehensive CISSP 2022 Exam Cram: Domains, Strategies & Updates

welcome to my cissp exam cram series this is the complete course we'll call it the 2022 update we're covering all

eight domains of the cissp exam as well as my recommended exam preparation strategy incorporating multiple learning

techniques to help you prepare more quickly and effectively and as a cyber security strategist for

organizations around the world and a chief information security officer for a regional bank and an educator i can

promise you i use the knowledge i gained in the cissp exam every day more importantly for you last

year alone i helped thousands achieve cyber security certifications including the cissp all without expensive boot

camps and that is quite simply my goal to help you get further faster in your exam prep

so we'll be focusing on the key points of every topic we won't spend time speaking unnecessarily

about any topic we're going to focus on the key characteristics of each concept that will help you identify right and

wrong answers quickly on exam day this content utilizes several proven learning methods that have worked for

many candidates before you myself included to accelerate your progress and i will share the techniques that you can

apply in your study on your own i want to speak for a moment about my pace i intentionally speak at about 115

to 125 words a minute if english is not your first language this may be just right for you

if you do speak english as a first language you might find that increasing the speed to 1.25

may be better for you whatever works for you i just wanted to make you aware of that small detail

and by design i'm not focusing on every single topic that appears in the official study guide i'm focusing on

high probability exam topics high difficulty concepts frequent sources of questions from my

exam candidates and areas that require process memorization at the end of the day i want to direct your focus to the

high probability high difficulty areas so you're optimizing your prep you're making the best use of your exam study

time and this strategy has proven to work out well for exam candidates thus far and in

this update i'm simply turning the knobs a bit tuning this strategy further to make it a little bit better still

but in terms of what we're covering in this video we're going to talk about my

recommended exam prep strategy so the techniques that i suggest you use that many candidates before you have used

that i myself have used to prepare for the cissp exam more quickly and effectively we'll touch on domains one

through eight so every domain of the exam and i will also offer a few separate shorter videos to drill down on

what students report to be the most challenging areas and i will call those out at the appropriate points in this

video anywhere i can there's a table of contents in the video

description so at any point if you should want to skip ahead to a specific topic a specific domain feel free to do

that and as with all of my videos you'll find a pdf copy of this presentation

available in the video description you can click and download no sign in required

and a link to additional resources faqs exam updates and errata if there is any will be in the description beneath the

video and you can't be the first to benefit from this material but you may be the

next and i wanted to just share what a few other learners have said amongst the many testimonials we've seen

throughout the last year and while no course is perfect i wanted to give you a comprehensive study

resource and system without the hefty price tag and if we look at the eight domains of

the exam between the 2018 and the 2021 releases you'll see that the same eight domains are present in 2021 as were

there in 2018 and the weighting of these domains has changed very little as you can see here

if i were to describe the updates in the 2021 release of the cissp i would say the updates are incremental

the new syllabus is not that much different from the earlier versions you'll find there's no change in

experience requirements or the number of domains the content in subdomains of course has been expanded to keep up with

the changing times that's no surprise there's almost no change in domain weights as you saw

if you happen to live in a country where you don't get the new computer adaptive testing or

cat exam you'll find that the linear exam which is 250 questions and six hours long has not changed and there's

no change in the cat exam details which i'll touch on in just a moment and a few new topics have been

introduced in some of the domains to keep up with the changing times i will cover those topics in line as we cover

domains one through eight in this course i want to fill you in on the details of the cat exam format cat stands for

computerized adaptive testing and as of right now march 2022 the exam is three hours long with a hundred to 150

questions the number of questions depends on your performance the exam adapts based on your answer and it aims

for a 50 50 probability that you will get the answer to the next question incorrect so it's going to dial the

difficulty up and down based on your performance and the answers are final there's no going back which is why many

myself included think this makes the cat exam more difficult

you need a seventy percent to pass the exam some of the questions are not scored

they're pre-test unscored questions used for research for future exam changes nothing you can do about it don't worry

about it only pass or fail are recorded and if you fail even one domain you fail

the exam so it pays to make sure that your knowledge is above the passing bar for every single domain in the cissp

body of knowledge as you prepare for the exam i also wanted to tell you about a

recently announced change to the cat exam that's coming in june so the current exam includes 25 pre-test

meaning unscored questions 25 more items will be added to that pool bringing the total to 50 pre-test items

so the exam will then be 4 hours and 125 to 175 questions but no other changes to the

syllabus or content which means no real change in how you prepare for the exam as you are right now

and now i want to take you through my recommended strategy for preparing for the exam if you've seen this before feel

free to go to the video description and fast forward to domain one but if not we'll start with the

materials so i recommend the official exam study guide the ninth edition in its electronic form you'll have access

to a thousand practice questions online as well as a little over a thousand flash cards now and the electronic

version is easily searchable that's why i recommend you get the ebook you can buy it at amazon.com it's a touch over

40 u.s at the current time but do make sure you get the ninth edition which is the

update for the 2021 release of the cissp exam so let's start with the million dollar

question that we see frequently when we're preparing for the cissp and that is

how to think like a manager and i'm going to give you here the short version think like a manager

in five minutes or less so it starts with due diligence versus do care and it's really about knowing

our role so due diligence is practicing the activities that maintain the do care effort that's the

book definition not very helpful is it now the do care definition is doing what a reasonable person would do in a given

situation it's sometimes called the prudent man rule but what you see here right away is that

these two concepts work together that due diligence supports do care and these together will reduce senior management's

culpability their liability when a loss occurs both their liability for their own organization and those

in either direction of their supply chain i want to explain these two concepts to you a bit differently in a

way i think will resonate with you so due diligence and do care can really be looked at in the context of a

decision that line in the middle is our decision so on the left we have due diligence

this is the research the planning and the evaluation that frequently happens before the decision

not always but largely before the decision and due care includes implementation of

security controls operation and upkeep of those controls and reasonable measures to secure our organization and

its resources that's the doing after the decision so due diligence

increases understanding and reduces our risk in a given situation and do care ensures that we take those reasonable

measures as outlined in that prudent man rule so i mentioned that due diligence

happens largely but not always before do care so that evaluation process is a recurring process we need to make sure

that our reasonable measures that we put in place continue to be effective over time so we're going to come back and

reevaluate on a recurring basis through internal and sometimes external audits another way to look at due diligence and

do care that may help you remember these and keep them separate and clear in your mind for the

exam is that due diligence is about thinking before you act and do care tells us that actions

speak louder than words another way we see this labeled is due diligence is do detect the d d

and do care is do correct so one of these is about the research and evaluation and the other about taking

appropriate action so separating these into the before and after in your mind may be more helpful

so let's look at examples of due diligence we have knowledge and research of laws and regulations

industry standards and best practices and on the do care side we have delivery or

execution including reporting security incidents security awareness training and disabling access of users separating

from the company in a timely way and thinking like a manager is all about knowing your priorities so if we look at

our security planning horizons from operational to strategic so operational being short term and strategic being

longer term as a chief information security officer you really deal with risks that are

escalated to the top and you send down the objectives as you see them

in terms of their importance so your focus should really be right up here at the top of the pyramid

at the strategic level you're thinking about human safety business continuity protecting profit reducing liability and

risk and you are passing objectives down to the tactical and operational teams which they will implement in the form of

policy and planning and then actually implementing those recommendations and operating the environment on a

day-to-day basis and one more perspective that may prove helpful is assume that you are in that

organization to advise not to touch so during the exam think of yourself as an outside security consultant advising an

organization you're there to advise on strategy priorities and safety you're not doing you're not laying hands on the

keyboard this may help bring focus to process your role to due diligence and do care now if you're interested in the

long version of thinking like a manager check out my cissp mindset video it's right at half an hour it is the full

story it does also include me walking through a couple of practice questions to show you how you can use this logic

to reason your way to the best answer on exam day now let's take a look at some of those

learning techniques i promised at the beginning of this video the fact of the matter is there is no award for longest

study time whether you prepare for this exam in two weeks or two months or a year and a half

a pass is a pass and so if we can prepare effectively actually learning this content for the long term without

spending a year and a half doing so we should absolutely do that and

the number one reason that i am not a fan of those five-day boot camps where you spend two or three thousand dollars

and then go take your exam on day six is due to the length of time it takes to memorize anything to truly learn

anything i can commit facts to short-term memory you know quickly by repeating my

learning spacing my repetition out over a period of hours in fact with my fifth repetition only including a 48 hour gap

within a week i can commit facts to memory very quickly now to commit something to memory for

the long term to really onboard that for the duration of your career typically takes more time and how much time it

actually takes depends on your level of exposure and experience to these concepts but you can see if you're

starting from scratch to truly memorize anything for a long time can take repetition over a period of days weeks

and even months and there's a lot of power in repetition and i'll show you some techniques that

we can use to repeat our learning in different forms

whether we're working on those short-term intervals or the long-term intervals we call this spaced repetition

and the fact of the matter is between your sessions what you'll find from your first

study session to your second to your third is that with each successive repetition you are remembering for

longer and you are forgetting less information what you'll find is that your forgetting curve we call it becomes

shallower with each repetition using this spaced repetition technique and it's not purely about memorization

we do need to identify our weakest areas and focus our repetition on the topics where we need

work and we'll talk about how to do that in just a moment but at the end of the day our focus is

to understand these concepts not just memorize them studies have long shown that understanding a subject before you

memorize greatly improves your retention because you're not just memorizing words and the exam will assume that you

understand when and where concepts fit you need to be able to apply these concepts in the

right scenarios so one learning technique that makes memorization easier is what we call a

mnemonic device or a memory device and a common memory device is an acronym and i'll show you an example in a moment

but our mnemonic devices are best when they are simple they are relevant to the topic and

visual where we can make them visual so let's look at a couple of examples here so we'll start with a first letter

mnemonic and a good example of a first letter mnemonic is the osi model so back in the

90s i remember memorizing the osi model using a first letter mnemonic please do not throw sausage pizza away that was

layers one through seven and then in the reverse all people seem to need data processing so one could argue that we

could make this more relevant by changing the words in our mnemonic let's try please do not toss security

processes aside whatever works for you but we could argue that's more relevant another mnemonic here comes with the

incident management framework so our acronym here is drm rrl

drum roll if we pronounce it the letters don't spell it out quite right but you see i can add a visual element here as

well to make it easier still for me to remember that framework that process another technique that's useful when

we're dealing with large amounts of information is chunking it's the process of breaking information into smaller

pieces or chunks that make sense so let's take cryptography as an example we have asymmetric cryptography we have

symmetric cryptography hashes block ciphers so we could break cryptography into these chunks for

example and then i can break those categories into smaller chunks yet let's take hashes for example i'll break this

into chunks based on a unique property i find within these so let's take hash algorithms i'll take the

message digest family and i see here that for md 2 4 and 5 they each have a hash value length of 128. i see that by

and large they're not still in use with md5 there are some exceptions to that it's still used with file hashes

but in the cryptographic context not so much let's take the shaw family this is

secure hash algorithm what i notice here right away is that the hash value length matches the name i can see here that

most of these are still in use certainly all of the sha-2 family is still in use but shaw 1 is not that's a chunk

i notice here that the hash value length matches the name of the algorithm that's useful

in rounding out our exam prep strategy i want to talk you through what i call the 80 20 strategy for identifying your 20

weakest area so you can spend 80 percent of your time there so it starts with the practice exams now

whether you get the practice exams from the official study guide or elsewhere doesn't matter so much i'm going to show

you how to use the exams in the official study guide to drill down to your weakest areas on a per domain basis and

that's really the important question here is how can i best use these practice quizzes to assess my exam

readiness because the fact of the matter is if you get to exam day and you ask yourself am i ready if you don't know

the answer to that question then the answer is no and the way i suggest you do this is by

looking at how the book is organized per domain so chapters 1 to 4 in the book for example

map to domain 1 security and risk management chapter 5 maps to asset security

chapters 13 and 14 mapped to domain 5 identity and access management so if we use

the quizzes at the end of these chapters we can focus our learning to find our weak areas in that domain

and one of the more common questions i receive is how do i get access to those online resources that are promised in

the book so if i just go to the electronic copy of the book i'm going to search for test

bank one word and that will bring me to the section here that describes the interactive online learning environment

and test bank and you're instructed to go register at wiley.com you'll be prompted with a challenge you can only

answer if you've purchased the latest copy of that book and once you sign in to the website

you'll be presented with a page similar to this i'll find the cissp i'll

log in there and ultimately i come to a page that looks just like this it's efficientlearning.com

and when i log in here i've gone through the process of registering

i'll see the products that are available to me and i can go to the test bank so what you need to know here is that

with these 1000 questions they are divided into exams in the quiz builder

but we can customize entirely so what i'll do is uncheck question topic so i've unchecked all questions and if i go

into those chapters i can select specific chapters to create a custom quiz so for example chapters

one through four i mentioned were domain one i will select just those four chapters

i'll scroll to the bottom and here i can tell the wizard the number of questions i'd like

so i want all 80 questions and now i can take a quiz that is only focused on domain 1 which is covered in chapters 1

through 4. and on that same screen where i selected the

test bank the practice quizzes you'll also see an option to select the flash cards

but i commonly find candidates get into the test bank here and they can't quite figure out how do i take a quiz that

shows me my weaknesses in a particular domain well that's how you do it you map the chapters out as you see here and

again you can download this as a pdf so you'll have this information at your fingertips

so moving through the 80 20 strategy as we go through that spaced repetition we have our practice exams that will help

us understand our weak areas which will spur some targeted reading we'll go read a little more on those topics where we

have weakness to better understand the material we'll come back and review the powerpoint in this video and some of the

other targeted drill down videos i have we'll look at live quiz or flash cards

so the flash cards are great if you don't have a partner to help quiz you for example my spouse my wife helped

quiz me as i was preparing but if you don't have a partner then you can use those flash cards to quiz yourself

on those topics but at the end of the day research has proven that we all function best when we learn using a

variety of techniques so variety is the spice of life and it is very effective in learning subjects more quickly

and there you have it that's my system which means it's time for domain one which is security and

risk management now a few key areas you'll be expected to know for domain one include risk and risk analysis

you'll be expected to know the quantitative risk analysis formulas and how to apply them

threat modeling concepts and processes and the frameworks that go with that compliance legal regulatory and privacy

you'll be expected to have some summary knowledge of particular u.s laws and in the case of the eu gdpr a european law

that applies to u.s companies professional ethics you'll need to know the isc squared code of ethics by heart

security governance principles like itil and finally security policies standards procedures

and guidelines you'll need to know the difference between these four including which are suggested and which are

mandatory in terms of what's new in domain 1 in 2021 when we break down the

exam syllabus 1.1 is now understand adhere to and promote professional ethics i would say generally speaking

this is a non-event there's fundamentally no change from 2018 in terms of what you'll be expected to know

for domain one so i mentioned you're going to need to know

the cia triad by hearts the cia stands for confidentiality integrity and availability you'll sometimes see this

expressed visually in the form of a triangle with confidentiality being the first followed by integrity and

availability so confidentiality is about secrecy or privacy and in the technology context

that means access controls that help ensure only authorized subjects be those people or services can access objects

whether that object is data or a system so integrity ensures that our data or system

configurations are not modified without authorization if a threat actor modifies data without

authorization we've now lost integrity that data is now no longer true and reliable

and confidentiality and integrity don't matter if we don't have availability so authorized requests for objects those

systems that data must be granted to subjects within a reasonable amount of time

the cia triad is covered in chapter one of the official cissp study guide you'll want to know cia very well for the exam

definitely going to come up i mentioned the cissp code of ethics i'm not going to read you the full

code here but at a high level it covers protecting society infrastructure the commonwealth acting

in a manner that is honest and responsible and legal providing competent

service to others and to advance and protect the

profession the code of ethics itself is much longer than this you want to give the whole thing a quick read and

personally i find most of what's in here is common sense but but you'll want to have some

familiarity with the terminology they use in here in case it comes up on a question

so i want to shift gears and talk about security policy development so at a top tier security policy is your document

that defines the scope of security that's needed by your organization the assets that need to be protected and to

the extent we should go to to protect them but there are four levels of security policy

development so it starts with acceptable use policy which is designed to assign roles within an organization and to tie

responsibility to those roles then we have security baselines which define a minimum level of security that every

system in the organization needs to meet then we have security guidelines which offer

recommendations on how standards and baselines should be implemented and these provide operational guidance for

both our security professionals and our users and then finally we have procedures

which are those detailed step-by-step documents that describe the exact actions that are necessary to implement

a specific security mechanism a control or a solution in protecting our data or infrastructure

so tidbit for the exam when you're developing new safeguards you're establishing a new baseline a new

security baseline which means that maintaining compliance with existing baselines is not a valid consideration

point now let's move on to risk management and risk analysis and i want to start with risk category so a

category is a group of potential causes of risk so at a high level you have damage which results in physical loss of

an asset or an inability to access that asset and then when it comes to information we have disclosure and

disclosing critical information regardless of where or how it was disclosed if this was a malicious act as

a result of a threat actor or unintentional on the part of a well-meaning user

and we have losses so losses might be permanent or temporary which could include altered data or inaccessible

data so data altered without authorization affects integrity if we think about it from a cia perspective

and then if you think of an attack like ransomware for example which renders data inaccessible

and permanently inaccessible unless we can recover and then we have risk factors and risk

factors factors are something that increase risk or susceptibility to loss

so in the realm of risk factors we have physical damage natural disasters power loss vandalism we have malfunctions so

whether that's a failure of a system or a network or a peripheral or the hvac system we have attacks now these are

purposeful acts of of a threat actor whether that's from the inside to the outside like unauthorized disclosure for

example so continuing on risk factors human errors now these are usually considered

accidental incidents where attacks are generally purposeful incidents then finally we have application errors which

would be failures of the application including potentially the operating system

now security planning may come up on the exam and there are three types of plans you need to be familiar with the first

is the strategic plan this is the long-term plan that's fairly stable it should generally include a risk

assessment and the strategic plan typically has a five-year horizon and you'll update it annually this helps to

align the goals of the security function with the organization's missions and objectives

the next one is the tactical plan this is a midterm plan it's developed to provide a little more details on the

goals of the strategic plan this is typically going to have a horizon of about one year the tactical plan gives

us a little more flexibility we can make some ad hoc adjustments here when circumstances dictate and the final plan

of the three is the operational plan so this is a short-term highly detailed plan that drills down on the strategic

and the tactical plans and by short term we're typically talking about monthly or quarterly the

operational plan will have budgetary figures staffing assignments scheduling and typically step-by-step

implementation procedures so now let's talk about response to risk so we have several ways we can respond

to risk the first is risk acceptance and and that means simply doing nothing we simply accept the risk

and the potential loss if the threat occurs and if the safeguards or counter

measures outweigh the potential loss in terms of their cost then just simply accepting a risk might make sense

the next option is risk mitigation or sometimes you'll hear this called risk reduction and when we mitigate risk we

implement uh countermeasure and we accept the residual risk that's the risk that's left over

once our safeguards our security controls are in place

now in risk assignment this is also called risk transference we're transferring or assigning that

risk to a third party like in purchasing insurance against damage and outsourcing to companies with

specific expertise is another way we commonly see risk assigned or transferred

so next is risk avoidance so when the cost of mitigating or accepting a risk are higher than the benefits of the

service itself then avoidance is a good idea so for example

i might decide to locate a business in kansas instead of florida to avoid hurricanes if i decide that the cost of

mitigating the risk of hurricane damage to my business is too great so continuing down this road risk

deterrence is another potential response and implementing deterrence to would-be violators of security and and policy

is a pretty common response in the real world and deterrence would include things like

implementing an audit policy to deter folks from malicious behavior for example in the

i.t department security cameras are security guards to defer deter

unauthorized entry onto our premises or even something as simple as warning signage

and then finally we have risk rejection and i want to point out this is generally considered an

unacceptable response it's a possibility but it's not acceptable this means to simply

reject or or ignore the risk just treat it as it doesn't exist

obviously never a good idea to just bury our head in the sand because problems don't just go away

but remember handling risk is not a one-time process this is an area you're going to have to revisit on a recurring

basis and refresh your responses to risks and to determine if the nature of these risks has shifted in

some way and require changes on your part let's talk about

risk management frameworks now the primary risk management framework referenced on the cissp exam

is the nist 800-37 framework and that's currently in revision 2.

if you'd like to read it end to end i'll have a link to 800-37 in its latest revision down in

the description for this video now you'll also hear some other risk management frameworks mentioned but i

want to point something out here so from the cissp study guide it says consider the following risk management frameworks

for use in the real world so the key there is for use in the real world so they mention octave and fair

and tara and the fact that they say consider these for use in the real world while mentioning

that nist 800-37 is the primary framework that tells me i'm not going to worry much about these i'm going to

focus on nist 800-37 now this nist framework establishes a

process steps and you with any process in cissp you need to make sure you know these steps in order and really it's

depicted by some as a preparatory step followed by six main steps i'm going to just give you the

seven steps so when we talk about that preparatory step uh preparing to execute

the risk management framework is that preparatory step so so if you ever see nist 837 presented as six steps it's

because they leave the prepare off so second step is categorizing your information systems

and we're looking at the information process stored and transmitted by the system based on analysis of the

potential impact for loss next is selecting security control so we need an initial set of controls for the

system and to tailor those controls to our reality to reduce risk to an acceptable level

based on our risk assessment step four we implement security controls and we describe or document how those

controls are employed within our systems and our environment and then we're going to assess those controls to determine if

they're implemented correctly if they're operating as we intended in our environment and most importantly are

they producing the desired outcomes are they meeting our security and privacy requirements and expectations

so next we authorize the system and by that i mean we authorize the system to operate in a normal

environment and at that point the organization is accepting the risk formally

for the system and because this is not a one-time event your risk management is a

process uh step seven is monitoring our security controls

periodically assessing that our controls are effective documenting any changes to the system and

conducting risk assessments periodically as necessary and remember i mentioned this is a

process right for any process in cissp we need to know those steps we want to know them in order some folks will use

a mnemonic device or a memory device that's called using the first letters of these steps in the framework

so for example for for these letters for pcs i am i could use the mnemonic device people can see i am always monitoring

so at test time if i'm a little foggy on nist 800-37 i can at least get the first letter of each of these seven steps by

remembering my mnemonic device people can see i am always monitoring that was something we did very commonly

with the osi model back in the day and we'll talk about that in a later domain in this series

and a few other things for the exam so do remember when you're talking about risk management and and risk analysis

not every risk can be mitigated that's just a fact and it's management's job to decide how

that risk is handled so when you hear me talk about thinking like a manager when you're taking the

cissp exam remember it's the role of a security professional to be a risk advisor to advise the decision maker who

is the manager and also when multiple priorities are present always remember human safety is

the most important i bring that up now that it may not even come up as a part of this domain but it's an important

point so i wanted to just mention it early on here left i i forget

remember to prioritize human safety when you're presented with many options and remember when legal issues are involved

calling an attorney is a valid choice it might not seem like a valid choice because it's technical folks

you may want to solve every problem but when we put our manager hat on calling an attorney is a great

example of risk transference right or or assignment we're

outsourcing our problem to an expert so let's talk for a moment about types of risk so residual inherent and total

are three types of risk

so we have residual risk which is the risk that remains even when

all our conceivable safeguards are in place that's the risk we can't get rid of

and at that point the risk management function has chosen to accept rather than to to mitigate or transfer or

assign that residual risk sometimes there's a bit of risk there we just can't shake

so we're accepting then there's inherent risk newly identified risk not yet addressed

with risk management strategies so another way of saying that is its inherent risk is risk that exists in the

absence of controls and this is one that that you don't really see in every cissp text i bring

it up because i've seen it a time or two and it's worthy of mentioning but total risk is the other that you want to be

very familiar with and that's the amount of risk an organization would face if no safeguards were implemented so

to say it another way if we just look at those three types of risk residual risk is after

controls are implemented that's the risk that remains inherent risk is risk that exists before we've implemented our

safeguards and then total risks would be the risk present without any safeguard so for the

exam you really want to focus on residual risk and total risk these are going to come up in a formula

and this is the first time i've mentioned formulas but formulas are very much a thing when we talk about

risk analysis and management on the cissp exam so a few tidbits for the exam

so be able to explain total risk residual risk and the controls gap which is the amount of risk that's

reduced by implementing safeguards we'll see controls gap in a formula and talk about that a bit more a little

later in this installment so to calculate total risk know this formula threats times vulnerabilities

times asset value equals total risk and we'll look at some of these formulas later in this installment because you

will need to understand the several formulas as they relate to to risk

and how to use them to arrive at good decisions so we can also express risk itself

as a formula and risk can be defined as as threat times vulnerability so yes you know threat and vulnerability are

expressed as numeric values as probabilities so stick with me to the end of the video

we'll we'll see more formulas here and we'll we'll look at a couple of examples to help you get the ball rolling

and if when we're done if maybe you'd like to see a video dedicated to nothing but the formulas that are going to come

up for you on the cissp exam just leave me a comment and

i can make that happen so i want to shift gears now from risk to risk analysis so so there are two

ways at the highest level to evaluate risk to our assets there's qualitative risk analysis and quantitative risk

analysis so quantitative assigns a dollar value to evaluate the effectiveness of our

countermeasures quantitative risk analysis uh really is the more labor-intensive of the two

methodologies it employs typically a lot of data collection and analysis using cost benefit analysis

it results in specific values that we're really what we're doing is removing guesswork

and opinions from the process it's really if if i were to describe quantitative risk analysis in one word

it's objective it requires a lot of information and effort typically but at the end of the

day it's going to assign a tangible dollar value so we can evaluate the effectiveness of our

response to risk so let's look at the risk analysis steps involved in quantitative risk analysis

so this is specific to quantitative risk analysis we're going to talk about qualitative in a moment

so step one is inventorying your assets and assigning a value and you might be asking yourself what's

that out what's that text out there in red i'm putting some some terms and some acronyms out here because these are

going to come up in formulas that we discuss later in this module so these are going to be important you'll wind up

revisiting this slide to to perhaps think think again through

these steps and and what the outputs of the step are so step two we're identifying threats

we're going to research our assets we're going to produce a list of all the possible threats to each asset

and here we're going to calculate ef which is the exposure factor and the sle which is the single loss

expectancy we're going to get to what these mean in just a moment i just want to set the stage for you so you know

what some of these outputs are and this will all come together when we talk about the formulas

step three you'll perform a threat analysis to calculate the likelihood of each threat being realized within a

single calendar year you're calculating the annualized rate of occurrence again that acronym is going to show up in a

formula here momentarily step four we're going to estimate the potential loss by calculating the annualized loss

expectancy and the fact that the word annual or the concept of yearly is coming up here

should tell you that this process is an ongoing process right this is a recurring process we're going to

revisit periodically within our organization it's not a one-time exercise step five we're going to

research counter measures for each threat and then we're going to calculate changes to the annualized rate of

occurrence so in other words how often is is this event going to occur

and what is our annualized loss expectancy based on the counter measures that we've applied

so if we've done our job right the the annualized rate of occurrence and the annualized lost expectancy are going to

be lower than when we started in step six we're going to perform a

cost benefit analysis of each of our countermeasures for each threat for each asset

to determine in a very dollars and sense fashion if we've made good decisions in our selection of countermeasures

so let's talk about qualitative risk analysis so qualitative risk analysis uses a scoring system to rank threats

and the effectiveness of our countermeasures relative to the system and the

environment it requires guesswork and estimation it definitely uses opinions however

it does provide meaningful results if i if i could summarize qualitative risk analysis in one word it would be object

subjective because it involves opinions and while it's going to tend to be less accurate it is a quick way we can make

some estimations that we can then use to guide our efforts in the deeper quantitative risk analysis so so a lot

of times qualitative risk analysis can serve as that way we take a five minute rough cut at the problems we're dealing

with i can rank impacts as low medium high i can throw out some percentages

to just get to a point that i know what i'm dealing with in terms of the probability and impact of of the threats

we're working with of the the risk we're trying to to deal with uh you should be familiar

with the delphi technique for the exam as well so in qual qualitative risk analysis this is uh basically anonymous

feedback and response used to arrive at a consensus a couple of other considerations when it

comes to risk analysis uh there's lost potential so so what would be lost if the threat agent is successful in

exploiting a vulnerability and then delayed loss and this is the amount of

loss that can occur over time because the reality is you don't lose

everything all at once in certain situations for example if an exploit

takes down your firewall and from in front of your web farm and your web farm is unavailable you

lose money over time as customers can't reach your website that's delayed loss and i mentioned threat agents here the

threat agents are what cause the threats by exploiting vulnerabilities the vulnerabilities are

the weaknesses in your assets or in your safeguards for that matter so i promised you we would talk about

those important formulas and that time has come so we're going to talk about the relevant

terms and the formulas that we use to calculate their results

so we have exposure factor single loss expectancy annualized rate of occurrence

annualized loss expectancy and safeguard evaluation so these all factor into

some key formulas that are definitely going to show up on the cissp exam so let's dig into these terms and the

formulas that go along with them so we'll start with exposure factor ef this is the percentage of loss that an

organization would experience if a specific asset were violated

by a realized risk so this is a percentage of loss so so ef or exposure factor is expressed as a percentage

single loss expectancy or sle so this represents the cost associated with a

single realized risk against a specific asset so this gives us

a one-time loss figure so the formula for single loss

expectancy is the asset value times the exposure factor so the asset

value is going to be a number a dollar figure the exposure factor will be a percentage which is expressed as a

decimal when we're doing the math so let's look at a sample here so if i

have an asset value on the left here of a hundred thousand dollars and a tornado is estimated to do thirty percent damage

to my asset so that's going to be point three my exposure factor is thirty percent

uh and my single loss expectancy then would be 30 000 or the asset value times

the exposure factor okay this is just the tip of the iceberg so let's keep going here

so annualized rate of occurrence or aro so this is the expected frequency with which a specific threat or risk will

occur within a single year so the annual rate of occurrence is an

important input for this next item

and that is annualized loss expectancy so this is the possible yearly cost of all instances of a

specific realized threat against a specific asset

so we look at that in a formula the the annualized lost expectancy the

ale is the single loss expectancy

times the annual rate of occurrence so so the sle is the one time uh loss

and then we take that times the annualized rate of occurrence so if we have an sle of 50 000

and we have an annualized rate of occurrence of say 0.5 because a particular threat only

occurs once every two years 50 000 times 0.5 is 25 000. so i've explained that simply there but

i started with an sle we'd already calculated let me take you through an end-to-end example of annualized loss

expectancy so we have an office building that's worth two hundred thousand dollars

and we estimate that hurricane damage uh would be fifty percent uh of the value of this building

and hurricane probability is one every ten years so ten percent or point one okay so we have to start by calculating

the single loss expectancy right so the single loss expectancy is the two hundred thousand dollar building times

the damage estimate of fifty percent or point five so our sle

is one hundred thousand dollars now we're going to take that sle and that factors into

our ale equation so we'll carry that hundred thousand dollars into the next equation here and that is the

single loss expectancy of a hundred thousand dollars times

the annualized rate of a current or aro and our hurricane probability is one

every 10 years so the annualized rate of occurrence is 0.1 so so if a hurricane probability was one

every single year that would be one even right but one every ten years means point

one so we take that hundred thousand times point ten and our annualized loss expectancy

is ten thousand dollars so what this tells us is that the safeguards we put in place

better not cost more than ten thousand dollars a year or we're spending more to protect this building than we're

essentially going to save so that gives us the the value of the safeguard so while

we're on that subject that that gives you a dollars and cents answer right so while we're on that subject let's

talk about how the value of the safeguard is expressed then so we call that

safeguard evaluation so good security controls will mitigate risk they're transparent

to users they're difficult to bypass but the last one here they're also cost effective so in our previous example we

saw that the safeguard shouldn't cost us more than ten thousand dollars a year or we were spending too much

relative to the reduction in loss so so safeguard evaluation has a formula so

it's the annualized loss expectancy before the safeguard minus the

annualized loss expectancy after the safeguard minus the annual cost of the safeguard

that gives us the value of the safeguard so we're really trying to answer the

question is the safeguard cost effective if we're spending more to protect an asset

than we're saving in ale then we don't have a cost effective answer there so there's your formula

expressed a little more simply so ale before the safeguard minus ale after the

safeguard minus the annual cost of

the safeguard so again i hope these examples have been helpful if you need more help with formulas if we need to do

a video with just the formulas go down to the comments drop me a note let me know we can make it happen

so the amount of risk reduced by implementing safeguards is known as the controls gap

and to see control's gap in a formula we can look at residual risk then so residual risk is total risk so

the risk and absence of controls minus the control's gap gives us that remaining

or residual risk so if total risk is a hundred thousand dollars the

controls gap is fifty thousand dollars our residual then is fifty thousand dollars

and the expectation that you know all of these formulas and how to use them make quantitative risk analysis one of the

most difficult topics on the cissp exam so one of the most important videos you can watch is my quantitative risk

analysis just the formulas video where i walk you through a real world example where we apply

those formulas to a realistic use case you'll find a link in the video description

the cissp exam will also test your knowledge of applying risk-based management concepts to the supply chain

so today most services are delivered through a chain of multiple entities that is to say

one product like a car for example really you know while it has a car company's

label on it likely includes components from multiple companies and certainly

may be transported by multiple companies to the dealership so a secure supply chain includes

vendors who are secure they're reliable they're trustworthy they're reputable and

you need to evaluate the vendors in your supply chain to ensure that's true so when evaluating third parties in the

chain you want to consider methodologies like on-site assessment visiting an organization interviewing personnel and

observing their operating habits to ensure they are as safe as they claim to be

document exchange and review and this means to investigate the means by which this organization

exchanges data sets and documentation as well as the formal processes by which they perform assessments and reviews

there's processor policy review so requesting copies of their security policies their

processes or procedures and you could finally

opt for a third-party audit so having an independent auditor provide an unbiased review of an entity security

infrastructure our next topic is one where i suspect you'll have some memorization ahead in

order to be prepared for exam day and that is threat modeling which can be proactive or reactive but the

goals are are to eliminate or or at least reduce threats significantly and your threat modeling approaches

can take one of three common forms they can focus on assets where asset valuation

is is used to identify threats to valuable assets we want to to focus our our spending on assets that

have value to the business right focusing on attackers is another common approach where

the the process is focusing on the attacker's goals and then finally

focused on software where considerations center on potential threat against the software the

organization develops or implements so let's talk through a few of these models remembering that they can focus on

assets attackers or software so one of the

more common threat modeling frameworks and it's mentioned in the cissp is stride which was actually developed by

microsoft so so remember that in case it gets called out as a detail in a question

so the stride model focuses on the the potential threat so spoofing

tampering repudiation information disclosure

denial of service and elevation of privilege so because these were developed by

microsoft we see this as a software focus right it's focused on potential threats

to to software and i believe most of these are going to be pretty well known to you repudiation

might be a term that you're not super familiar with and that's the ability of a user or an attacker to deny having

performed an action or an activity and that often takes the form of the attacker staging the situation to

blame someone else and then there's spoofing that involves falsified identity tampering which is

data manipulation you know restaurant transit but remember stride is developed by

microsoft and remember the terms there that uh that map to the acronym right all right so moving on in the threat

modeling discussion let's talk about pasta which focuses on developing counter measures based on asset value

and there are seven stages of pasta but the key here it's a

threat modeling approach that focuses on asset value which really gets to the heart of the

matter right because when we're dealing with with risk management it really comes down to

implementing cost effective control so when we're modeling threats focusing on asset man

on asset value is a great idea okay moving on there's the vast threat modeling approach which

stands for visual agile simple threat so this is based on agile project management principles

so the bottom line goal of vast is to integrate threat management into an agile

programming environment so next up is

the dread model which is based on the answers to five questions so damage potential so how severe is the

damage likely to be of the threats realized reproducibility so how complicated is it

for attackers to actually reproduce to implement the exploit exploitability so how

difficult is it to perform the attack affected users this is really about headcount right how many

users are likely to be affected by the attack as a percentage and that could mean

internal users and that could mean you pay the bills users your customers

and then discoverability so how difficult is it for an attacker to discover this

weakness because a significant weakness five or six layers deep in our defense and depth

may not be such a big problem for us so certainly something we might want to

address but maybe we'll will push it down the priority list so rounding out our our threat modeling

discussion is the trike model which focuses on acceptable risk it's an open source threat modeling process that

implements a requirements model that essentially ensures the assigned level of risk for each asset as acceptable to

stakeholders so remembering that trike is risk focused and it implements a requirements model

should cover you if it comes up on the exam and to round out domain one i want to talk to you about

cobit which stands for control objectives for information and related technology it's

not a great mapping to the cobit acronym frankly and this is a security control framework sometimes

described as a framework for i.t management and governance it's based on five principles so meeting stakeholder

needs covering the enterprise end to end so treating our our enterprise

as as the full scope of our focus applying a single integrated framework

so so continuity of a centralized coordinated approach enabling a holistic approach

and separating governance from management so holistic approach and separating governance from management

are key concepts or i think and we're expecting to see little or no coverage

on the cissp exam in fact the official study guide mentions it only briefly and goes on to promise that there's

going to be no real depth of coverage on the cissp exam so this should get you through with the basics around

cobit an important aspect of threat modeling you may not be acquainted with yet is

diagramming potential attacks so determining potential attack concepts is achieved

through visualizing your infrastructure and identifying threats

or identifying potential vulnerabilities that may be exploited so let me just sketch out a simple

example for you here so let's diagram some potential attack so i have users

that come through my perimeter my user web server boundary we'll call it so they hit my web service here

and i have a database back here a sql server where we'll pull some data from a database

so my user starts by logging in to the web service at some point they may make a request

that then causes that web service to go back and retrieve data from my sql database

i'd imagine there's uh you know maybe even a different authentication process here from

a service principal or an entity down to that database versus the user logging in manually here and i can perceive

different threads here because i'm visualizing so just right off the cuff i can imagine that on a login form

brute force password attacks dictionary attacks might be common if attackers wanted to just guess

at user names and passwords and if they were to register for our service maybe they

could get an idea of the username requirements and then just start you know as i mentioned a

dictionary attack now if i think about a web service talking to a database the first thing that always comes to mind is

sql injection so as an attacker i could try to exploit

maybe some poor value handling on a web form to perform a sql injection attack

and i'm out of space here but and i could go quite a bit further as you can see but this gives you an idea of that

diagramming process at a basic level so let's talk about reduction

analysis in threat modeling so in reduction analysis i'm going to break a system down into its uh its parts which

makes it much easier to identify the essential components of each element and take notice of where we might have

vulnerabilities and and you know likely points of attack so

just to go through this i could look at trust boundaries so any location where the level of trust or security changes

so a trust boundary in your application from say a an access control perspective would be

where a specific role or privilege is required to access a resource or an operation that would be a change in

trust data flow path so looking at the movement of data between locations

and what exposures there are that might allow attackers opportunity to to capture or breach that data input

points locations where external input is received so in our our diagramming example uh a web form where we're

logging in or a web form or we're submitting a request that that calls back to sql that's going to be

an area that would be most likely

a possibility for attack a likely target perhaps privileged operation so any activity

that requires greater privileges than that of a standard user account that's going to be a red flag area

an area will want to give special attention then finally details about security

stance and approach so so essentially just the our declaration of security policies foundations are our assumptions

in a given scenario for for a service or infrastructure so after we go through that

deconstruction and documentation process then we want to rank or rate the threats we can use the dread methodology we just

talked about or a high medium low rating for example so i want to clarify a few things around

security control so your security controls are the measures for countering or minimizing loss or unavailability

of your assets your services your apps etc and

you'll hear the term safeguards and counter measures we've used those quite a bit today and they may seem to be used

interchangeably at the end of the day the main difference between a safeguard and a

countermeasure is safeguards tend to be proactive and counter measures tend to be reactive

let's talk about the categories of controls there are three categories of security controls they're technical or

logical or sometimes called which involves the hardware or software mechanisms used to manage access and

then you have administrative controls which are policies and procedures that are designed

by the org security policy or other regulations and requirements administrative controls for example

might include hiring practices background checks data classifications and labeling security awareness and

training methods and then you have physical uh control so the physical category are

items you can physically touch so there we're talking about guards fences motion detectors lock

doors seals sealed windows lights laptop locks etc so be familiar with these control

categories and be able to name off a few in each category as i just did for you now

so next let's dig into security control types so you have deterrent

control so these are deployed to discourage violation of security policies

deterrent controls could include uh you know audit policies security awareness training locks fences security badges

they're designed to discourage violation and then we have

preventative controls these could be

technical controls like firewalls or intrusion detection systems or it could be a physical control like a

fence or a gate or a man trap and technically there could be some overlap between deterrent controls and

preventative controls the main difference here is deterrent controls really rely on on somebody making a

decision to not do something where preventative controls are really designed to actively stop the unwanted

behavior and we have detective controls which are deployed to discover or detect unwanted

activity so defining characteristic of detective controls as they really detect the activity after the fact right

they detect something in progress motion detectors cctv cameras audit trails honey pots

and you'll find some surprising elements listed as detective controls like

mandatory vacations for example job rotation because if you're rotating people across

jobs or in and out on vacations you're going to be able to establish some patterns there that will allow you to

detect behavior based on the presence or absence of certain individuals or circumstances

then we have compensating controls compensating controls provide options to other existing controls to aid in

enforcement of the gulf so for example let's say your organization requires that personally identifiable information

is encrypted in the database and in fact it is encrypted in the database but someone discovers then that the

the uh pii data is being transferred across the network in clear text so a compensating control

would be for example an additional control to encrypt that data in transit to support the

requirement and you want to make sure on the exam that you you understand

the key element that defines that control type and you know a few examples off the top of your head so you can you

can pick those out uh should you see them in a question so we're actually not done with control types let's keep going

here so so we have corrective controls

corrective controls can range from antivirus that removes uh malicious files to backup software

that automatically restores missing files to policy-based configuration management

that returns a system to its desired configuration after a breach

next up we have recovery controls which are much like corrective controls but they tend to have more advanced

capabilities good examples here would include server clustering vm shadowing hot sites warm sites alternate

processing facilities and finally we have a directive control which is intended to confine or control

the actions of the subject to force or encourage compliance with security policies

good examples of a directive control would be security policy requirement posted notifications

escape route exit signs just to name a few so again make sure you understand the defining

characteristic and you can rattle off a few examples before you walk into the exam

now we're going to talk legal and regulatory which is an area of the cissp exam that requires a lot of memorization

i'm going to try to help you focus that in so at a high level the topics here include cyber crimes and data breaches

transborder data flow licensing and intellectual property requirements things like trademarks

patents we'll talk about that in just a moment privacy is very important quite a few

laws related to privacy and then import export controls which we'll cover also

so let's start by talking about types of law so you have three types you have criminal law which is just what you

think it is it covers areas like assault robbery arson murder you have

civil law which covers more business disputes contract disputes real estate transactions employment estate

the high dollar lawsuit type of law then you have administrative law which relates to government agencies they have

some leeway to enact administrative law that can cover important topics or areas as mundane as requirements when

procuring a phone for an office desk the the cissp exam focuses on security related generalities you're not going to

get into the nitty-gritty details of the law but when a question comes up around health care related information customer

health care information you'd need to know that high tech and hipaa are are laws related to that topic

for example so let's talk about some of the the laws that are likely to come up on the exam

so the computer fraud and abuse act i think the the most significant thing about cfaa was it was the first piece of

u.s cyber crime specific legislation you have federal sentencing guidelines which are laid out to provide punishment

guidelines to help federal judges interpret computer crime laws the federal information security

management act better known as fisma uh had some requirements around formal

information security operations uh for for federal government uh the copyright and digital millennium

copyright act say that three times fast covers literary musical and dramatic work so that that's really helpful for

artists let's talk intellectual property and licensing so you have trademarks which

cover words slogans logos you use to identify a company in its products or services you want to protect your

company name you apply for a trademark patents protect the intellectual property rights of inventors and trade

secrets cover intellectual property that is absolutely critical to a business and must not be disclosed for the health of

that business and then there are four types of licensing you should be familiar with

and that's contractual shrink wrap click through and cloud services

there are some regulations around encryption and privacy that you'll want to be familiar with

so u.s companies cannot export computer technology to certain countries and those include cuba iran north korea

sudan and syria there are also restrictions laid out by the department of commerce that detail

limitations on the export of encryption products outside the us the basis for privacy rights in the u.s

is the fourth amendment to the u.s constitution and gdpr is a law you want to be

familiar with it is not a u.s law it comes from the european union but it is very likely to be mentioned for one very

good reason and that is because it applies to any company with customers in the eu

the us included you're going to hear me mention this a couple of times that's because i do expect it will be on the

exam now let's talk about other u.s privacy laws so you've so when it comes to

health care you have uh health care insurance portability and accountability act better known as hipaa

you have the health info technology for economic and critical health uh better known as high tech

we have graham leech bliley which applies to financial institutions if you see a

question on the exam related to law and financial institutions i'd bet it's going to be graham leach blighly

the children online privacy protection app better known as coppa and the electronic communications

privacy act or ecpa and that's one of two laws related to electronic communications that i might

expect you'd see on the cissp exam the other being the communications assistant for law enforcement act

i think i'd be familiar with both of those as well now notice that i've put the acronyms here i find memorizing

these acronyms makes everything easier because memorizing all those words is a lot of work but if i memorize hipaa when

i see health insurance portability and accountability act i can pick out the h-i-p-a-a right so memorizing those

acronyms is going to make this a lot easier for you and you notice how i talked about just the very basic focus

of these laws you're really going to be dealing with generalities as i mentioned and that's straight from

the official cissp exam prep guide and matches right up lines right up with my experience in taking this exam

so you're going to be expected to be familiar with the business continuity planning process and issues that pertain

to information security in in bcp around things like strategy development processes

plan approval plan implementation training and education so so important you understand the steps

of the process but know that the bcp topics are going to cover you know information security related angles

you're not expected to be a certified business continuity planner here by any means

i'll give you that same warning i give you for any process when you're looking at a process make sure you you know the

steps in order personally i don't think you're going to see a lot about bcp on the the exam it'll be limited

i want to talk through a couple of business continuity planning related definitions worth knowing just to

increase your comprehension of this topic as we prepare for the exam so the business continuity plan is the overall

organizational plan for how to continue business the disaster recovery plan is the plan

for recovering from a disaster impacting it and returning the i.t infrastructure to

operation which of course supports the business and there's a continuity of operations

plan this is the plan for continuing to do business until the i.t infrastructure can be restored i'm not expecting you'll

hear about continuity of operations planned on the exam but it's

it is a thing so i wanted to mention it but let's talk about the difference between business continuity planning

and disaster recovery planning so what exactly is the difference here well business continuity planning focuses on

the whole business it focuses on getting back to doing business where disaster recovery focuses more on

the technical aspects of recovery so bcp will cover communications and process more broadly another way to think of it

is business continuity planning as an umbrella policy and disaster recovery planning falls under that umbrella as

part of the broader plan you want to be familiar with education so security awareness

education and training so the methods and the techniques for different audiences

periodic content reviews evaluating your program effectiveness and

and you can see a variety of questions here that talk about everything from you know simple user security awareness

training to you know what's the the deepest form of training so covering things like classroom training all the

way to degree programs but security awareness training is that topic that is ubiquitous when it comes

to information security so let's start with the consequences of privacy and data breaches the first

being reputational damage when we have a security breach it can certainly result in a loss of customer

trust and ultimately a loss of revenue and the effects may last for years if the situation is not handled correctly

identity theft which involves someone using a person's private information to impersonate that individual

usually for financial gain and if that breach results in data exfiltration were potentially exposing

many people to identity theft if we're losing customer data and if a business experiences

intellectual property theft as a consequence of a data breach they can lose customers credit ratings brand

reputation and they can even forfeit first to market advantage loss of profitability and they might even lose

an entire line of business to competitors or counterfeiters fines so failing to report a breach can

result in fines that can reach into the millions of dollars in fact gdpr outlines fines of up to four percent of

a company's annual global revenues or 20 million euros for failing to report a breach and it may lead to

lawsuits but remember any company with a customer in the eu is subject to gdpr

and let's talk notifications of breaches so if a data breach occurs failing to report that breach as i just mentioned

can result in fines into the millions of dollars the eu sets their standard in gdpr and notification of data

breaches must be reported within 72 hours now escalations to external sources like law enforcement or outside

experts to stop or investigate a breach may well be necessary other countries have their own reporting

time scale and delays may sometimes be allowed for criminal investigation

but we're talking about laws so when in doubt we get the legal department involved

and that brings us to the end of domain one up next is domain 2

asset security i want to touch briefly on what's new in domain 2 because we can expect those new

topics those new areas of focus in 2021 are more likely to come up on the exam we do find certification exams tend to

focus a bit more on what's shiny and new and relevant and here we see 2.3 provision resources securely 2.4

managing the data lifecycle and 2.6 determining data security controls and compliant requirements

drm casbi and dlp those were covered in the 2018 material clearly they've been elevated to some degree

here and in in a world of identity uh focused security and zero trust it's it's not

surprising right our network perimeter doesn't exist as it used to and you're going to hear uh provisioning resources

securely in various capacities through the eight domains managing the data life cycle is the the item i want to call

attention to in domain two so it was mentioned in a phrase in in 2018 it's clearly going to get a little more

attention so here is the data life cycle and you see it begins with creation then story use

share archive and destroy now i want to call your attention to

a similar life cycle that existed in 2018 and it exists in the 2021 version of the course in domain seven in

security operations we have the information life cycle and what you're going to see here are some commonalities

so you'll notice creation you'll notice archival and destruction

use usage and storage what's different here is you notice classification so so the information life cycle it focuses a

bit more on information protection because you don't see classification called out explicitly in the data life

cycle right so another item called out in in domain seven around the information life cycle that's important

for you to remember is there isn't a consistent standard used to identify each stage or phase of

a data life cycle so conceptually speaking what i would suggest you know for the exam is that immediately after

creation it's very important that we classify data because classification tells us the requirements for protection

and the other key elements that i want you to notice here is that each of these cycles includes

archival and destruction right so archival is important because certain regulatory requirements will demand that

we have data that we keep around for a period of time in a retrievable state it could be

a year it could be seven years and data destruction is important because data that remains around longer than is

necessary creates risk and it creates liability it can be stolen it can be called as evidence it can be discovered

as evidence for for legal actions so more than remembering the steps here i want you to remember those key

elements of of the data life cycle of the information life cycle the information life cycle is covered both

in domain 7 and it's also covered in the processes and frameworks video in depth but knowing these will serve you well

but you want to know those you want to be familiar with those practical elements

of of the data life cycle and later here in domain 2 we'll talk about data classification you'll see

this chart so you want to pay attention because data classification is going to have relevance in multiple domains in

the cissp let's start with data security control so

marking labeling handling and classification may well come up on the exam

classification being the most important of these and we'll talk about data classifications in just a moment

uh data handling shipping chain of custody you know remembering don't open boxes

and with data retention comes data destruction we'll talk through some data redestruction methods like erasing

clearing overwriting more on that in a moment and with record retention uh we always need to remember

that that data destruction if the retention policy is one year that data should be destroyed when it ages out so

when it ages beyond one year uh you may even see something related to tape backup this you know this feels like a

legacy concept but it may come up because it exists in the real world and and tape backup security having a secure

facility tapes labeled will ensure that you know everybody understands the classification of the data which really

kind of comes back to that first concept of marking labeling and handling

so let's talk about data destruction methods and you'll definitely want to understand

the difference between these so at a basic level erasing data which is just performing a

delete operation so with erasing you'll want to remember that data is typically recoverable using

traditional data recovery tools now clearing or overriding prepares media for reuse and ensures that data cannot

be recovered using traditional recovery tools so purging

is a more intense form of clearing and it's used in less secure environments

so why do i highlight less secure environments that's because for example the us government doesn't consider any

form of purging as an acceptable data destruction method for top secret data degaussing is a process that uses a

device called a degausser to create a strong magnetic field that erases data on on some media so so physical media

obviously and then destruction is the final stage in the life cycle of media and it's the

most secure method of sanitizing data methods of data destruction include operations like incineration crushing

shredding dissolving using a caustic or a acidic compound

and before we step away from data security controls i want to mention one other concept which is a security

control baseline which provides according to the the cissp exam guide a listing of controls that an organization

can apply as a baseline so listing of controls on a baseline it feels a little repetitive another way i might say this

is a baseline is a group of controls that can be applied as a base standard or a starting point that we work from

not unlike a configuration based line that you'd uh work with as a starting point for securing your endpoints for

example so for the exam do be familiar with record retention and data destruction i

mentioned that you know keeping data around for longer than necessary can can be a problem

what it can do is present unnecessary legal issues and in fact if memory serves the cissp

exam prep guide outlines a story with uh with a big aeronautical company that had a big lawsuit uh that they settled for a

lot more money than necessary because they kept data around for longer than necessary

so when it comes to data protection confidentiality is often protected through encryption this is mentioned

only briefly in domain two this is really more a topic for domain three so we'll cover encryption in lesson three

so let's move on to defining sensitive data through data classification so we're going to look at

the four levels of data classification for government or non-government or sometimes called

public data so we have class 0 which in government terms would be unclassified

or public data so no damage occurs if this sort of data is revealed

outside the organization class one is data that would be confidential or in the non-government space sensitive

so this is data that could cause damage to the organization if unintentionally disclosed

or intentionally disclosed for that matter but but disclosed without authorization so class two we have

secret data and private data data that can cause serious damage to the organization if disclosed and

then at the highest level in class three we have top secret data or confidential or proprietary data in

the uh the public space which is data that can cause exceptionally grave damage if revealed

so you'll notice some commonalities here the word serious and and then exceptionally

grave so you have these juxtaposed standards for government and non-government i would be familiar with

both of these uh briefly in domain three we'll actually talk about sensitive uh but unclassified data in uh when we're

talking cryptography but generally speaking i think much less likely to come up

on the the exam itself so when it comes to asset classifications asset

classification should typically match data classifications and when it comes to sensitive data

there are two types of data you want to be very familiar with and this is sensitive data that isn't public or

unclassified there's personally identifiable information or pii data pii data refers to any information

that can identify an individual so these would be uh data elements like their name social security number uh

birthplace or birth date biometric records uh you know thumb prints retina scans

and you'll also want to be familiar with protected health information or phi which is health related information that

can be related to a specific person this is covered by hipaa which we talked about in domain one

so let's talk about data ownership for a moment so know these two roles i think if if we you know think about what are

the roles most likely to come up on the exam data owner

which is someone who can delegate some day-to-day responsibility for for data handling and security and then there's

the data custodian so this is someone who doesn't decide what controls are needed but they do

implement those controls on behalf of the data owner so just a quick tip if the

question mentions day to day they're typically talking about the duties of the custodian and another sort of

delineating factor here the data owner is usually a member of senior management the data custodian is typically going to

be somebody in the it department so that's another way you can potentially pick out

which would be the the most appropriate answer so i want to talk to you about some

other roles and then gdpr in particular which which is you're relatively new in the world

of regulatory standards but i think more and more important all the time because it does apply to a lot of u.s companies

so let's talk about some of the other roles so do be prepared to answer questions on

some of these other roles so data administrators responsible for granting appropriate access to personnel often

via role-based access control a user refers to any person who accesses data via a computing system to accomplish

their work tasks and we have business or mission owners and this role can actually overlap responsibilities with

the system owner sometimes even be the same role and then finally asset owners this is

the person who owns the asset or the system that processes sensitive data and the associated security plans

i think the key there is associated security plans uh so let's talk about gdpr because gdpr

calls out some specific terminology relative to gdpr and they treat one or two terms a little bit differently than

you'll see elsewhere so definitely know your gdpr terminology and

requirements i think this is quite likely to come up on the exam so gdpr defines a data processor

which is the entity that processes data on behalf of a data controller that data processor can be a person an authority

an agency or another body it's but it's the person it's the entity processing the data on behalf of the data

controller who is that person or entity that controls processing

of the data and then data transfer know that gdpr restricts data transfer to countries

outside the eu okay continuing down this road so there

is some discussion in domain two around reducing your gdpr requirements or exposure so there are a couple of ways

you can approach this the first is anonymization which is the process of removing all

relevant data so it's impossible to identify the original subject or person so if done effectively gdpr is no longer

relevant for the anonymized data now it's important to note here the word remove the words removing an impossible

because this is only going to be good if you don't need the data because it will be impossible to identify the original

subject or person so i think that's one of the keys if this method comes up on

the exam so if you need the data there is another way to handle this and that's through

pseudonymization that's a big one so i'll say it one more time pseudonymization which is the

process of using pseudonyms or aliases to represent other data so you use this in scenarios where

you need that information but you want to mask the identity of the user or subject to which the data belongs

but you definitely need the data so an example of this would be creating a patient number to tie back to the data

which then masks the the name of the patient at that point but bearing in mind that you know this will potentially

reduce your exposure it will result in less stringent requirements than otherwise

would apply under gdpr but bearing in mind that if that pseudonym is ever revealed if that patient number is ever

tied back and revealed to the patient name then the pseudonym is no longer effective the alias doesn't

work anymore so it's a great concept but execution matters is my point uh so if you but you

but if you need the data and you want to reduce exposure pseudonymization is going to be the

method you'll use versus anonymization and for the exam i would make sure i'm familiar with the gdpr terminology the

data roles and the security controls and don't worry i'll mention these in more than one spot

in this course so you'll definitely hear this again and you want to be aware that the

notification of data breach timeline in gdpr is 72 hours and we'll see this again but just

remember gdpr applies to any company with customers in the eu

and that's a wrap for domain two moving on to domain three security architecture and engineering

let's take a look at the official exam outline and then we'll talk about what's actually new in domain 3 in the 2021

release of the exam 3.1 is research implement and manage engineering processes using secure

design principles 3.2 understand the fundamental concepts of

security models so we'll touch on models like biba the star model bella padula this is a big area of memorization this

is a common area of confusion and i have a full 2022 update i've recorded for you

here to address the many questions i've received about security models over the last year

3.3 select controls based on system security requirements so matching controls to requirements

understand security capabilities of information systems we'll touch on a number of concepts here including

items like tpm and encryption and decryption 3.5 assess and mitigate the

vulnerabilities of security architectures designs and solution elements

3.6 select and determine cryptographic solutions and then 3.7 understand methods of cryptanalytic

attack so this tells us that cryptography is really front and center in domain 3 just based on what we see in

3.6 and 7. 3.8 apply security principles to site and facility design an area very few

folks have much experience so an area you'll want to put some focus on for the exam

and finally design site and facility security controls so what's actually new in the 2021

release well domain 3 is a big domain and there are several changes here so

under item 3.1 which is research implement and manage engineering processes using secure design principles

we see several concepts here called out that were present in the 2018 exam threat modeling lease privilege defense

and depth secure defaults fail securely separation of duties however we see several net new concepts here as well

keep it simple zero trust privacy by design trust but verify and shared responsibility i'm going to

cover these for you now okay i'm going to cover these for you in

a minute because first i want to want to point out the other syllabus line item in domain 3 that is

new and that is 3.7 understand methods of cryptanalytic attacks and again

quite a large number of attacks mentioned most of these existed in the 2018

version of the exam it's clearly a topic that's getting more attention these are covered these attacks are covered in the

attacks and counter measures supplemental lesson they are also covered

in line in their specific domains uh where they were applicable and what do i mean by in the domains

where applicable well for example uh domain five is identity and access management we'll talk about access

control attacks in domain five but if you'd like to go through attacks and counter measures all in one setting

go check out that supplemental lesson and that will serve you well in fact there's the thumbnail you want

to look for on on that supplemental video in the playlist so let's get into some of those new

concepts that i mentioned are present in domain three we'll start with zero trust security which which is a strategy an

approach that addresses the limitations of the legacy network perimeter-based security model where the firewall was

the perimeter right so with with work from home mobile devices our users are everywhere right so really

xero trust security typically treats the user identity as the control plane so you'll hear it in in marketing documents

they'll say the identity is the new perimeter uh xero trust assumes compromise or breach in

verifying every request so basically no entity is trusted by default we're verifying identity managing

devices managing apps and protecting data in all phases of operation

so in that category of secure design principles secure default is called out in 2021 so this simply means default

configuration represents a restrictive and secure configuration and this should apply not only in your

own configurations within your organization but you should expect the same

of of your hardware software and and service vendors that their service their device their software is

is secure by default it's a reasonable expectation in 2021. fail securely which simply means that

when a component fails it should fail in a state that denies access rather than granting access

these two concepts are actually taken from from nist sp 800 800-160 trust but verify is a principle that

depends on an initial authentication process to gain access to the internal secured environment and then relies on

generic access control methods so due to changes in the threat landscape today this is no longer considered sufficient

and has largely given way to zero trust security so privacy by design comes up so making

privacy an integral part of every system your policies your design process the the best

guidance i can give you here comes from the international association of privacy professionals

who have published seven principles of privacy so privacy as a proactive

approach something we consider from the moment we are envisioning a new

service or product privacy is the default setting right it's not something that uh that has to be opted opted in

it's something you would you would want to to have folks opt out of so privacy is the default uh privacy should be

embedded in the design not bolted on later so it should be considered from the design phase uh principle number

four is that privacy should be a positive sum approach not a zero zom sum approach and you might be asking well

what the heck is is a positive sum approach a positive sum occurs

when an approach is formulated where the needs of everybody involved

are are met so so when we implement privacy in our design we as an organization

create a more effective more secure service and our customers benefit because we have considered their

privacy from the beginning so so another way of saying positive sum i i would say is that you're creating a win-win

scenario end-to-end full life cycle data protection right we talked about about

data life cycle so protecting our sensitive data making sure that after data is created it's

classified and protected super important visibility and and transparency there are many ways to facilitate

visibility and transparency for example if i'm a software company i have a privacy policy that explains to a user

what data i am collecting from that user and what i am doing with that data so so transparency can be communicated through

policy and implemented in features of of a service or software what have you and keeping privacy

user centric uh you know when i think about user-centric privacy i think about gdpr

so gdpr is the is the general data protection regulation it's the eu's uh data protection lawn and in gdpr

the user has the right to instruct me as a company to forget them so in gdpr regulations i do have to be

transparent in my privacy policies the user has the right to request all data that i have collected

about them and they have the right to tell me as an organization to forget them to

basically lose their information lose my number and again i think from a cyber security

perspective these are just sensible principles anyway so applying these principles and implementing a layered

defense defense in depth we'd call it as part of a zero trust strategy just ensures

uh privacy end to end so i think these are good principles that help you help you onboard

the concept of privacy by design keep it simple is not a new concept this is a concept that's been around for a

very long time and it applies to much more than just cyber security so bruce schneier

mentioned uh once upon a time that complexity is the worst enemy of security complexity

is the worst enemy of of many things and a simple design is the best design we justify uh the addition of complexity so

in the world of cloud and hybrid security services that leverage you know ai in the cloud machine learning a best

and sweet over best in breed approach is generally considered uh the best way to simplify defense in depth because the

security suites from the various uh cloud you know cloud focused security vendors

will incorporate layers of intelligence that

together are better in securing your environment and this simplicity also helps to avoid configuration mistakes it

means that your layers are going to be integrated better

uh it means that your overall solution is generally speaking going to be smarter it does not mean that you're

going to have only one security vendor it means that you will likely have fewer security vendors but you will have you

know some sort of suite that will serve as the foundation

for your organization and whether your foundation is based on on microsoft or google or cisco

or amazon that that's not so important as the concept in this case but this enables

organizations to move forward you know incrementally rather than demanding perfection it's really a a fresh

application of the classic keep it simple silly principle that's that's the the kiss principle that they taught us

when we were kids honestly when i was a kid it was keep it simple stupid but but we're we're more

polite now and so we we don't we don't say stupid but when i think about maintaining

simplicity in in designing a cyber security strategy

these are some tips that i think you'll find helpful but really never underestimate

the value of incremental improvement rather than demanding perfection out of the box because when we choose a best in

breed strategy and we try to go find the best vendor at every layer we spend a lot of time shopping we spend a lot of

time trying to determine how well those solutions integrate with one another becomes a lot of work a lot of expense

and a lot of complexity so security as a service uh this is a cloud provider concept where the

security is provided to an organization through or by an online entity this definition would be applicable to

all of those providers that i mentioned just a moment ago internet of things so these are a class

of devices connected to the internet to provide automation remote control ai processing in a home or business setting

we all have iot devices

plugs thermostats assistance speakers

you name it so so more scenarios involving iot devices are likely to appear on the 2021 exam uh smart devices

mobile devices that offer customization typically through installing apps and might use you know on device or in the

cloud ai processing there are all sorts of devices that can be considered

smart devices from smart phones to smart thermostats to doorbells to sensors used in manufacturing

scenarios to predict device failure before

a device fails and one would think generally speaking on the cissp exam

the context the examples around smart devices and iot will be more business focused than they would be

focused on home scenarios so next we're going to talk about sim and soar so sem is security information event

management so think of a sem solution as a system that's going to collect data from many sources within your network

it's going to take sign in logs for identity and access management it's going to take syslog and

common event format data from your network devices it's going to take event logs from your endpoint it's going to

take various bits of telemetry from security solutions within your environment and it's going to provide

real-time monitoring and analysis typically using ai and machine learning and and

yuba user entity behavioral and analytics and and to

give you uh notification of potential attacks so soar security orchestration

automation and response is centralized alert and response automation generally with threat specific playbooks and what

i mean by threat specific playbooks is the form of automation may be very different from different

vendors but the automation will be threat specific generally speaking

because specific threats require specific responses whether that's a particular type of of script or

automation tool and the response might be fully automated or sometimes you'll see these solutions come semi-automated

out of the box where where essentially the potential

attack is is identified and then the sore solution gives you the

you know click here to remediate sort of response and i soar is actually mentioned in

domain eight so why am i talking about it here well i'm talking about it here because sem and sore uh nowadays are

very commonly delivered together as components in a single solution so i wanted to talk about them in context

because the sem part of the equation is going to be doing the the monitoring the analysis and the

notification the soar is the response automation whether automated or fully automated or partially automated but i

wanted to bring this up earlier in the discussion because uh in terms of context it fits here better than in

domain 8 in my opinion so so you know on the exam you know you're not taking the the questions aren't

coming to you domain at a time so functionally speaking i just wanted to get this out in the open here now but

these solutions today are often going to use ai and ml and threat intelligence to uh

to come to their conclusions to it to aid in their analysis uh we'll talk about threat intelligence in just a

moment so micro services and service oriented architecture soa may come up on the exam

in 2021 so soa is the creation of discrete services that that can be accessed by users in a black box fashion

so basically we don't know what's going on under the hood soa is a concept that's a few years old you don't hear

near as much about it anymore it's really been superseded by microservices which are

fine-grained services with a discrete function i think of of microservices as a more modern adaptation of soa

that's better oriented to cloud computing many times you'll find micro services are built

in a fashion that they are containerized so they can run on a container platform like docker and

kubernetes and it's important that we we identify code level

vulnerabilities early in the development life cycle so before software is released

you can do this with a combination of static code analysis and dynamic testing basically early in your

integration and delivery process so we can identify deficiencies before the release so so another way to say static

code analysis is static application security testing

we're going to talk about that in the changes that come in domain 8 and dynamic testing also

dynamic application security testing so so we'll touch on those two in domain 8 in in greater

depth so containerization may come up on the exam and and this is really talking about technologies like docker and

kubernetes kubernetes really being the de facto industry standard now when it comes to

containerization so this is a lightweight granular and portable way to package applications for multiple

platforms and it's going to reduce the overhead of server virtualization by allowing a containerized app

to run on a shared os kernel so we can have multiple applications that are

containerized running on the same virtual machines containers don't have their own operating system

they are sharing the operating system of the container host on which they run which is going to be you know a linux

server typically or sometimes occasionally a windows server linux being the the more common uh container

host uh now when we get into that more granular level of

sharing an operating system we still have many of the same concerns we have around server virtualization in that we

need isolation for our applications you know at a host level at a process level at a network level at a storage level

and you can imagine in shared environments we might not be comfortable running

containerized applications in the same clusters and so you'll hear discussions around

not just logical separation but but physical isolation as well

and you know really devops security can is is really going to focus on the

container level we think about application level security so author authentication and authorization

we'll talk more about these as we move along here so application programming interfaces or

apis may come up on the exam with rest being the the modern standard for api development soap was the standard in

years past but an api is a set of exposed interfaces that allows for programmatic

interaction between services back in the early days of amazon

jeff bezos laid down a standard for his his technology groups that when they built a service they had to package that

service and make it available for other other teams of the products business units etc for for their consumption as

well so rest the modern standard i mentioned uses the https protocol for for web

communications to offer those api endpoints all your communication between client and server should be encrypted

and your access should be limited with api keys which means you also need to ensure that storage distribution and

transmission of those access keys is done in a secure fashion because that's effectively a secret if you've never

played around with an api you could go sign up for a developer account on twitter for example or facebook and

and get into an example of working with an api embedded systems another potential exam

topic uh coming uh about through the rise of the internet of things so so an embedded system is a technology

component of an iot device think of it as a full computer system embedded inside another larger system a

good example of this printers typically have embedded systems gps drones

semi-autonomous vehicles they have a full computer system that's embedded inside that larger

system and with embedded devices you'll need to consider authentication practices to

ensure they meet with security best practices you want to avoid implied trust

so high performance computing another potential exam topic so so this is an alternative to client server computing

for compute intensive operations with large data sets that typically require large-scale parallel processing the seti

project the search for extraterrestrial intelligence is a good example of high performance computing where individuals

can volunteer their compute time to help process data so grid computing which we which is

high performance computing we often see in a business setting employs a centralized controller that makes

computing assignments to grid members and in a grid computing example we have some security concerns particularly

around that grid controller making sure that that grid controller is safe from bad actors or that the grid can't be

used for illicit activities which means there needs to be some governance built in as to how

assignments are made and and what compute tasks can be assigned so edge computing may come up and and

edge computing really speaks to operations that require processing activities to occur locally

far from from the cloud so this is really common in iot scenarios the agricultural space science science and

space military i even see it in retail scenarios

fog computing places a gateway device in in the field to collect and correlate uh data

centrally at the edge so fog computing is kind of a nuanced version of edge computing

you know i can think of of an edge computing scenario like in uh watering plant in a field i have sensors iot

sensors that will uh you know sense the uh the moisture level and automate

watering so for for those types of operations to happen in a timely way i might need that to happen at the edge i

can think of retail scenarios where you go visit a kiosk in a drug store for example to order

uh you know especially uh you know crafted cards or photos right there at a kiosk edge

processing could be very important in a good user experience so with large you know network device

counts and varied locations you want to think about data encryption spoofing protection and authentication

to avoid bigger security problems because a large number of unsecured iot

devices can become somebody's bot army for distributed denial of service attacks

right now we're going to shift gears and we're going to talk about cloud computing which will definitely receive

more attention on the 2021 version of the exam so we'll talk about infrastructure as a service platform as

a service software as a service so i as pas and sas and we'll talk about private hybrid and public cloud

and we will talk about the shared responsibility model this is

going to be key for the exam so let's talk about shared responsibility so when we are on prem

responsibility for security is a hundred percent ours right all the way down to the wire in our data center we are

responsible now when we begin to consume services in a public cloud scenario

who's responsible for which components shifts and some of our responsibility is for security is shifted to the csp the

cloud service provider so in an is scenario infrastructure as a service think server virtualization running

virtual machines the the csp is responsible from the wire up to uh that virtualization host we are

really deploying virtual machines and configuring and consuming at that level we will have some responsibility for

specific types of configurations to ensure availability to ensure slas kick in

but but you see there some responsibility has shifted when we look at platform as a service

we see that we're giving up more responsibilities to the csp here as well think of

cloud database models if i'm hosting a database in the cloud

where i'm not responsible for the service that runs it you know beyond some some simple configuration of

my my database uh if i'm thinking about web applications or or functions that are hosted in a service

you'll notice here all the way up to the runtime belongs to the cloud service provider and in a database scenario i'm

responsible for my my data and the applications that are talking to my data if we think about software as a service

you know we're giving away more responsibility yet we're really just responsible for using and consuming the

service uh office 365 is a great example of this uh service now the uh the itsm platform great responsibility so you

notice as we move into the cloud we're handing over some of that responsibility for security and management to the csp

which is a good thing for us so just some examples here and some some details to help you cement the the shared

responsibility model so in the is scenario the csp the cloud service provider is providing the building

blocks like the networking the storage the compute they manage

the staff and the hardware and the data center for us right so so good examples of this azure virtual machines amazon

ec2 google cloud platform compute engine pass platform as a service the customer

is responsible for deployment and management of the app so that's we are the customer in that scenario

the csp manages the provisioning the configuration the hardware the operating system you know even more underlying

details good examples here azure sql databases azure api management azure app service which which is running web apps

again in a fashion where we're not worried about servers

so before we move on to software as a service i want to touch for a moment on the difference in responsibility and

functionality between serverless and platform as a service so so serverless may also be called function as a service

so so let's take a web application when i deploy a web application let's say i'm a restaurant and i have a web

application that has a menu function and an ordering function for example uh in in a a pass scenario i'm going to deploy

that application into the service i'm typically going to have to pick a service tier now in its paths it's

platform as a service so i'm not worried about servers or any of that but i'll have to decide if i want dedicated

environment i'll have to pick you know some service tier that gives me an idea of

scale now function as a service allows us to break this down one level even more granular

i'd say so let's say if i want to move my my

restaurant application into function as a service i might break that menu out as

as one function and then i break the ordering function out separately and i send that code to my function as a

service provider they handle the provisioning uh and they handle the scale so what it would do is allow the

individual components of my my application in that scenario to scale independently but in a function as a

service scenario i'm not worried at all about the scale the platform is handling that

behind the scenes for me so function as a service allows me to to make even fewer decisions around around

service tier and scale and so forth it's giving me a more granular way to to break that up

versus platform as a service which is a a level more granular than and less responsibility than infrastructure as a

service where we were handling virtual machines so different platforms have different

names for it so so microsoft for example in azure they call it uh it's azure functions in

aws on the amazon platform it's aws lambda i believe but but what they are both is event

driven serverless computing platforms all right so let's talk about software as a service so so in the

software as a service scenario we're handing even more responsibility over to the csp so in this case you know we as

the customer just config we just configure features right the csp is responsible for management

operation and availability of the service so good examples of of software as a service that you'd be familiar with

would include office 365 service now and and salesforce all right now i want to shift gears and

talk about cloud models for a moment and i just want to acquaint you with the differences between

uh public private and hybrid cloud models so we'll start with public cloud this is where everything runs

on the cloud provider's hardware so the advantages here would

include scalability we can scale infinitely in the cloud at least in theory right

greater agility because we don't have to make capital purchases

in order to deploy new infrastructure we can push a few buttons and deploy new

infrastructure in the cloud and what you're doing in a public cloud scenario is trading some

capital expense you know which would be investment in your data center for what we call operational expense so just

paying as we go for for services in the cloud for

infrastructure in the cloud so that that pay for what you consume model and

it allows us to to scale more easily more quickly less

maintenance and it lowers the skills bar because we don't have to have maybe quite

the same server expertise and network expertise in our organization so this is a great equalizer for smaller

organizations private cloud so this is a cloud environment in your own data center so

server clusters virtualization clusters you know maybe running vmware or hyper-v for example

the advantages here include that we have legacy support we have control over that environment we can establish

the conditions for regulatory compliance so really in private cloud if i had to put it in in a word it's really

controlled there because we when we're working in a a public cloud model you know typically you're working

on the latest version of a service in a private cloud scenario we can control the pace of versioning we can control

configurations to establish compliance for specific scenarios so when legacy comes up you know private cloud is a

good answer so hybrid cloud combines these two so it allows us to have the best of of both worlds so we can run our

applications in the right location if we need to support legacy for a time we can have a private cloud where we run those

applications if we have modern apps that we've containerized or that can run in a path or a serverless environment we can

run those in the public cloud and quite often you will find that the the private cloud in the data center

is connected to the the public cloud in some respects perhaps with with some sort of vpn

uh or or private network connectivity that connects the two

the two entities so you can have communication between them for example if you have

applications in the public cloud that need to talk to services in your private cloud so the hybrid

cloud allows you to move into cloud computing into public cloud at your own pace

so there i'm really speaking to the advantages the the main advantage is flexibility in in running our legacy

scenarios and dealing with specific compliance and scalability scenarios we can we can move it around pace which

allows us to to take on that additional work whether that work is migrating an app or recoding an app

we can take on that additional work at our convenience

so a cloud access security broker or casbi for short may come up on the exam this was a topic in

the 2018 study materials i expect it gets more attention in 2021 due to the rise of cloud computing so

a casby is a security policy enforcement solution uh so we can enforce policies like ensuring

that users only use the approved applications we have in place we can prevent

information sensitive information from being shared externally from being stored in

cloud storage repositories that we don't approve casbis very widely in their

functionality the casby industry came about to solve one problem and that is the problem of shadow i.t

uh the the scenario where organizations business units within organizations would would go out and

find they would work around the i.t department to find applications or

services to help them get their job done and they would they would purchase those on their corporate cards for example and

have a whole new way of doing things in some cases that the i.t department didn't

have any control over any any governance over or knowledge of but but when you're thinking about casbi think security

policy enforcement and think shadow it prevention so word has it the 2021 version of the cissp exam may bring

questions about post-quantum cryptography and quantum resistant algorithms so what is post-quantum

cryptography exactly well it's the development of new kinds of cryptographic approaches that can be

implemented using today's conventional computers but

that will be resistant to attacks from tomorrow's quantum computers so first two questions that come to mind are

which algorithms are susceptible and which algorithms are resistant well let's start by

looking at the two classes but first let me give you a quick disclaimer here so number one i am not a professional

cryptographer nor am i a professional cryptologist however i'm

providing you information from solid authoritative sources including the likes of bruce schneier who you may know

as a well-known public cyber security figure he also happens to be the creator of the blowfish in two fish

cryptographic algorithms and joel allen who's a pretty widely published cryptographer who who put some

focus in the area of quantum and i'll have links to to both of their articles in the video description if

you're interested in reading further but moving forward how well do current encryption

algorithms hold up to the power of quantum computing so let's take our our two major types here

symmetric which is which is shared key cryptography and then asymmetric or public key so symmetric the shared key

is what we use for bulk encryption of data and asymmetric has uses like key

exchange and digital signatures so symmetric holds up fairly well to quantum computing and we'll we'll

explore that more in just a moment where quantum poses more immediate threats to asymmetric so let's unpack

symmetric first so grover's algorithm shows that a

quantum computer speeds up attacks to effectively have the key length grover's algorithm is a quantum

algorithm for unstructured search that basically with a very high probability can identify the unique input for a

given output and basically that would mean that a 256-bit key is as strong against a

quantum computer as a 128-bit key is against a conventional computer and so you may ask

yourself wait a minute uh i'm a quantum computer is only twice as powerful as a conventional no a

256-bit key is not twice as strong as 128 bit the 256 bit key is 2 to the 128 times as

strong because doubling your length increases the possible combinations

exponentially so let's talk about asymmetric so public key cryptography so on this side we have

shores algorithm which is a quantum algorithm for integer factorization can easily break all of the commonly

used public key algorithms based on both factoring which means rsa is vulnerable because

that rsa depends on factoring of large primes and the discrete logarithm problem which

means that elliptic curve is vulnerable because that's the problem it's based on so schneier points out that doubling the

key length in the asymmetric scenario increases the difficulty to break by a factor of eight which is not a

sustainable advantage so the good news uh for the future here is that lattice offers some resistance and some real

promise for quantum resistant algorithms so it's based on different types of problems the the shortest vector problem

and the closest vector problem uh and and according to allen

uh it potentially enables us to replace essentially all of our currently endangered cryptographic schemes

and lattice-based cryptographic schemes make up the lion's share of scientific publications on post-quantum

cryptography and this bit of information comes from from nist's post-quantum cryptography

competition which they announced in 2016 and in july of 2020 so last year nist announced uh round three

finalists and the bulk of the finalists are in the of the lattice type

and that is to say your research selection and standards development is is ongoing

and you might ask yourself what exactly is a lattice well a lattice is a three-dimensional array of regularly

spaced points an example of a lattice is the the image you see right there so for the exam if you see a question

asking for which types of public key algorithms are quantum resistant the answer is lattice so that's it for

domain three quite a lot of potential uplift there in prepping for the 2021 version of the the cissp

so now we'll get into the rest of domain three so let's

talk cryptography so codes versus cipher so code are are systems of symbols

that sometimes uh imply secret but don't always have to be secret they don't always

provide confidentiality ciphers on the other hand are meant to hide

the true meaning of a message so codes are sometimes secret but don't always provide confidentiality

ciphers are always secret confidentiality is always going to be implied there

so you do need to know the types of ciphers that are out there so

stream cipher number one a symmetric key cipher

in a stream cipher your your plain text digit is encrypted one at a time it's a stream so to speak because it's not a

block of data so where a stream cipher goes one character at a time a block cipher will apply the key in algorithm

to a block of data like 64 contiguous bits for example so basically as a group rather than one bit at a time so that's

the fundamental difference between a stream cipher and a block cipher a substitution cipher uses the algorithm

to replace each character or bit of the plain text message with a different character

this might be as simple as just shifting the letters of the alphabet so one letter represents another letter i could

shift characters three to one direction so the letter d

represents the letter a for example julius caesar actually developed one of the earliest ciphers of this type that's

now known as the caesar cipher transposition uses an encryption algorithm to rearrange the letters of a

plain text message forming the ciphertext message and the initialization vector iv is a

random bit string that's xored with the message reducing predictability and repeatability now the size of this

initialization vector varies by algorithm but it's normally the same length as the block size of the cipher

or as large as the encryption key really what this is is the cryptographic

version of a random number that's injected into the process prior to the xor

so caesar vigenere and one time pad are three very similar stream ciphers and the main difference between these

ciphers is key length so caesar shift cipher uses a key length of one

vigenere uses a longer key usually a word or a sentence and the key length in a one-time pad is the same length as the

message itself now we need to talk a bit more about one-time pad i do expect you're

going to see at least a question on this on the exam so

for a one-time pad to be successful the key must be generated randomly without any known pattern

and it has to be at least as long as the message to be encrypted because remember that's what what differentiates one time

pad from visionaire and caesar so the the key is the same size as the message itself and

the pads must be protected against physical disclosure you can't give away the secret right

and each pad must be used only one time and then discarded because repetition could reveal

the answer right so basically all of these must be true for a one-time pad to be successful

so a concept here zero knowledge proof so this is a communication concept and and basically

zero knowledge proof is a specific type of information that's exchanged but no

data is is actually transferred this is true with digital signatures and digital certificates

so what the heck does that mean let me give it to you in plain english to just put it simply

zero knowledge proof enables one to prove knowledge of a fact without revealing the fact itself so

that's in effect what digital signatures and certificates allow us to do split knowledge

so split knowledge means that the information or the privilege required to perform an operation is divided amongst

multiple users that makes sense right splitting the knowledge amongst multiple people

so this ensures that no single person has sufficient privileges to compromise the security of the environment it's

it's separation of of the knowledge of the privilege i kind of think of of split knowledge as

role separation of a fashion really we talk about role separation in the workplace

so one person doesn't have too much privilege that they can carry out some sort of internal threat all on

their own another concept work function sometimes called work factor

so this is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and or time

to decrypt the message so that the the cost or time to decrypt the message speaks to the value of the

function so usually the time and effort required to perform a complete brute force attack against an

encryption system is what a work function rating represents so

so the security and protection offered by the system is directly proportional to the

value of the work function or or factor would you like that in plain english i

hear you it's the time and effort required to break a protective measure that's that's

the work factor so when you hear work work function or work factor think time and effort required to break

a protective measure so the importance of key security so cryptographic keys

provide a necessary element of secrecy and uh modern systems utilize keys that are

at least 128 bits long to provide adequate security and that number is going to increase over time in fact when

we see the rise of of quantum computing as a mainstream capability uh that's going to change everything

about cryptography we're going to see a a massive shift in this space

but know that 128 bits is our low water mark so to speak when it comes to key length in

modern cryptography so symmetric versus asymmetric

cryptography so symmetric relies on the use of a shared key so a shared key

versus asymmetric where we have public private key pairs for communication between

parties so the difference between the two number one symmetric key lack support for scalability it's it's not

easy to distribute the key because we only have one key how do you transmit that key

secretly you know confidentially between two two people and we don't have a way to implement

non-repudiation there so we can't guarantee the the source of the message now

asymmetric on the other hand basically gives us that capability to implement a

solution that guarantees we know who that message came from but it also makes it easy to distribute that key amongst

many parties because we have private and public key pairs to to work with

stick with me and here in about five minutes we'll actually walk through an asymmetric example so you can see how

the public private key pairs are used in a scenario to

implement non-repudiation but also to transmit data confidentially

but symmetric cryptography is going to be faster since we have that shared key asymmetric is

going to be stronger and and more scalable generally speaking

so so when you think symmetric that's single shared key and it's faster and asymmetric is a private public key pair

that's going to be stronger than asymmetric so to speak so

confidentiality integrity and non-repudiation of three concepts you'll definitely need to know for the exam so

confidentiality is really focused on the secrecy of data

both you know while it's in rest or while it's in transit

integrity basically provides a recipient with an assurance that the data wasn't altered

that the integrity of the data remains that the data we received is the data that was sent in other words

and non-repudiation gives us undeniable proof that the sender of a message

is the one who actually authored it it basically prevents the sender from subsequently denying that they sent the

original message which is fantastic in certain circumstances so you need to be able to explain the

five basic operational modes of data encryption standard des and triple desks so i'm going to cover these for you in a

way that i hope is is easier for you to remember because just looking at them on the surface they're not

just super super easy to remember they don't stand out so the first is electronic code book mode so this is

the least secure of the lot and with code book mode it processes a 64-bit block the problem is

if it encounters the same block multiple times it produces the same encrypted block which makes it easy to break so i

like to say this code book is pretty easy reading cipher block chaining and in cipher

block chaining each block of encrypted text is exhored with the block of ciphertext immediately proceeding so the

previous link in the chain so to speak cipher feedback

is basically cipher block chaining in a streaming version it's going to work on the data in real time in memory but but

do remember when chaining is involved errors will propagate that's that's a key factor to associate with cipher

block chaining and cipher feedback is when they use chaining errors propagate but cipher feedback is basically

cipher block chaining in a streaming version working in memory buffers now the next one output feedback works a

lot like cipher feedback but it exerts the plain text with a seed value which means we're not using chaining anymore

it's using a seed value instead of that immediately preceding ciphertex so no no chaining means errors don't propagate in

this case and then another variation of that is is counter which uses an incrementing

counter instead of a seat and again you know using that increment encounter is pretty pretty easy

to uh to tie to that fifth mode and then uh how is triple dez different well triple

des uh runs dez three times with uh with two or three keys different keys to increase

the effective key size to 112 or 168 bits respectively so let's talk about exclusive or xor i

said we'd get to this here we are so so this is a concept that's used pretty heavily in cryptology it's a lot

more complicated than it sounds it's actually just a flipping of bits in a pretty simple systematic fashion so

you're looking at my table here you have the original value the key value and the cipher value what you're looking at here

is when the the binary values match so when the

original and the key value match you get a zero when they don't match original and key value don't match we get a one

simple as that so that's xor exclusive or so key clustering is a weakness in

cryptography where a plain text message generates identical ciphertext messages using the

same algorithm but using different keys i'll tell you how i remember this one i think of key cluster as being similar to

collisions in hashing so hashes have a collision when two different strings produce the same hash

collisions are exact exactly why md5 isn't used as a hashing algorithm anymore so with key clustering

basically it's when two different keys using the same algorithm produce the same ciphertext so it's similar to

collision in that respect so now we're going to talk asymmetric cryptography or public key cryptography

so on the asymmetric side of cryptography of public keys that are going to be shared

amongst communicating parties so if you and i are going to communicate and share secrets you can

see my you have access to my public key and i have access to yours my private key

is secret only i know my private key and in your case only you know yours and

in terms of data to encrypt a message you each can use the recipient's public key so i can use your public key

to encrypt a message and then you can decrypt it using your own private key

and with a digital signature to sign a message you're going to use your own private key

which gives us non-repudiation it ensures that if i sign a digitally signed a message

with my private key it ensures that it was sent by

me and to validate a signature you'll use my public key

so asymmetric and symmetric can work together in the sense that remember symmetric

cryptography is is fast right so we can use asymmetric cryptography to securely transmit the shared key we're

going to use in symmetric cryptography so essentially asymmetric

solves three problems one of which is distribution of of a secret and with symmetric that's

that's a problem right sharing that key amongst many parties on the symmetric side would be really difficult so that's

where asymmetric can help out so just remember each party has both a private and public key

so let's look at a simple example we have franco and maria so franco sends a request to maria requesting her public

key maria sends her public key back to franco remember your public key is

shared with all and franco is going to encrypt his message using maria's public key and she's going to decrypt the

message using her private key as simple as that and the contents of that message could be anything including but not

limited to a key a shared key to be used in a symmetric crypto function

so hash function so a good hash function has five requirements has to allow input of any length

and it has to provide fixed length output that is to say no matter how long the input the output must always be the

same length the hash must always be the same length it has to make it relatively easy to

compute the hash function for any input so it needs to be relatively fast in that respect it has to provide a one-way

functionality in other words it can't be reversed or a hash function that's easily reversed a two-way functionality

would not be so simple and it has to be collision free

collisions are exactly why the md5 protocol is not why md5 is no longer used as

a hashing algorithm so a collision in hashing means that we could put two different inputs through a hash function

and it would generate the same output meaning we can't then determine reliably what the original

value was that's exactly why md5 is not used anymore let's talk about cryptographic

salts so attackers may use something called a rainbow table it's a table of

pre-computed values to to try to identify commonly used passwords and a salt is random data that's used as an

additional input to a one-way function that hashes data password passphrase whatever

and and because we're injecting random data adding salts to passwords before hashing them reduces the

effectiveness of of the rainbow table attacks because the attacker doesn't know what

additional random data has been injected before the hash so digital signature standard

so dss uses sha one shot two shot three message digest function functions uh it used to use sha-1 generally speaking

shot 2 is going to be more common now the sha-2 is approved with dss and it works in conjunction with

one of three encryption algorithms so it would work with a digital signature algorithm or dsa

an rsa algorithm or elliptic curve dsa so public key infrastructure so this is

the certificate server that you'd see commonly in an enterprise environment so certificate authorities are sometimes

called certification authorities generate digital certificates that contain public keys of system users

every certificate has a public key and a private key to be clear and the users can distribute the

certificates to people with whom they want to communicate and the recipients verify a certificate

using the ca's public key so so that's how one can establish a chain of trust back to the issuing certificate

authority so it all goes all the way back to the the root certification authority so

in pki you'll sometimes have tiers of servers and you'll have an issuing authority

but you'll have a root authority at the at the base of the the infrastructure oftentimes

that root authority is is maintained offline but it's using uh asymmetric in that case certs are

used for web network and email security pretty commonly so in fact let's talk about web network and email security so

an email pretty common standards for encrypted messages include s mime and pretty good privacy

on the website of the house the de facto standard is is http over tls transport layer security which has largely

replaced the older ssl standard that was in use for a lot of years then on the network side i the ipsec

protocol is is pretty pretty standard framework used for encrypting network traffic uh you may actually see a bit uh

uh additional uh in terms of questions on on ipsec so let's talk about ipsec at

some greater depth here so ipsec is a security architecture that supports frame secure communications

over ip and it establishes a channel in one of two modes transport mode or tunnel mode

and it can be used to establish direct communication with computers over or over a vpn so i've seen ipsec used

between computers without a vpn vpn is a very common use of ipsec though

the windows operating system has has capability to do uh you know ipsec between computers without a vpn but you

can also establish a vpn and it uses one or two protocols authentication header and encapsulating security payload

all right common cryptographic attacks just a couple here you should be familiar with for sure from uh from

domain three brute force attacks which are attempts to randomly find the correct cryptographic

key so it's just using brute force of of computing power

with known plain text and chosen cipher text to but it requires the attacker to have

some extra information there's a meet in the middle attack which exploits protocols that use

two rounds of encryption so it's going to exploit some weaker protocols and it require requires the attacker to know

something somewhere around at least eight bytes

of uh of a message so so if uh an attacker knew the parties involved and weaker

protocols were in play here i mean the middle attack might be possible but but it uses

looking for those two rounds of encryption would be the key i'd remember for the exam in case this comes up man

in the middle attack you'll hear a lot more about this this fools both parties into communicating with the attacker in

the middle instead of directly with one another so each side actually thinks they're communicating with one another

but instead they're communicating with the man in the middle and a birthday attack is an attempt to find collisions

in hash functions and and remember a collision in a hash

function is when a hash function can receive two different values but

generates the same output that's a collision then a replay attack is an attempt to

reuse authentication requests so basically to get uh the uh the

the the hashed um output of the the authentication request and to present that um so that's

actually uh pretty pretty common so digital rights management you hear

this a lot in the entertainment world so it allows content owners to enforce restrictions

on the use of their content by others so this used to be a a big deal in the entertainment world with uh with

music back in the day it's occasionally found in the enterprise protecting sensitive information stored in in

documents but the entertainment content is where where drm was always a big discussion

and nobody was ever very happy about it so let's talk about symmetric algorithms if you haven't watched my my

video on memorization techniques for cissp you get a taste of them here so so i like to break my cryptography down in

a process called chunking so i start by breaking it down to the types of algorithms i need to remember because

this is the most uh technical topic on the cissp exam and it's a big topic so let's look at

symmetric algorithms here so you need to remember these you need to know the block size

i'd try to remember the key size as well and and remember you know symmetric from asymmetric so so

looking at this table i see i have a big chunk of of algorithms here that have a 64-bit block size

including blowfish the uh the the des family the uh

rc two through five so one of the tricks i use here so i i tied

blowfish and skipjack together i remember that they're both 64-bit because blowfish

and skipjack are both fish okay you're asking what the heck is a skipjack

this is a skipjack it's a tuna i i've lived near the coast many times so i happen to to know that

and because i know blowfish and skipjack are both the 64-bit block size remembering two fish is easy for me

because one fish times two is two fish right so that's 128 so two fish is going to be

a little more advanced in that respect and i know that aes is used commonly in the enterprise so that's advanced as

well so i just kind of tie those together that the advanced family has a 128-bit

block size uh and rc-5 has

three different options there but but i remember that the the greatest is the the 128 so then you just half that and

then half again to get your three rc5 algorithms and then streaming you know doesn't have the

block size right it's doing it piece at a time as it streams okay hash algorithms we've talked about

these a lot today right so these are easy to break down so i break the md5 family down so that's message digest

mdmd24 and five all have a hash value of 128. also notice that none of those are still in

use remember i mentioned md5 which is the the newest of the three you see there

none of those are still in use they were replaced by multiple other functions and then you have the shaw family and

the shaw family is easy to remember here because uh the and these are this is secure hash

algorithm so you'll notice that with the shaw family that the name maps to the uh the hash value link so so all of

those shaw 224 through 512 these are these are sha-2 variants and uh and essentially

the the hash value shows up in the name and and shaw one's not really in use anymore but the sha-2 family are still

actively used so make sure you you're going to break out md the md family and the shaw families and remember those

the three major public key crypto systems so you have

rsa which is probably the most famous it was it was developed by three folks back in the 1970s

you have elgamal which is actually an extension of diffie-hellman key exchange and it depends on modular

arithmetic so with rsa i tie rsa back to the uh to prime numbers so rsa involves the

difficulty of factoring the product of prime numbers diffie diffie-hellman relies on modular arithmetic

it's less common than rsa in the last few years but elgamal is based on diffie-hellman and then elliptic curve

depends on the elliptic curve discrete logarithm problem and it's going to provide

more security than other algorithms when both keys are of the same length

but but rsa i think is the the most famous of these and the most likely to come up on the exam but try try to kind

of tie some of these key facts about these three into your head so you can pick the right one out should a question

come up so digital signatures so digital signatures rely on public key

cryptography and hashing functions so so digital signatures have to use shot two nowadays

and there are three currently approved encryption algorithms for digital signatures you've got dsa

you've got rsa and you've got elliptic curve dsa and here's the table of asymmetric

algorithms we just covered i don't have any memory devices for you here because this is a fairly short table so you have

rsa diffie-hellman elgamal and elliptic curve remembering that elgamal is based on diffie-hellman key

exchange so as you're preparing for the exam i'd suggest you just chunk these out and focus on asymmetric and then

symmetric and hash each separately and it'll be a little easier i think to get those organized in your mind for game

day now we're going to talk through security models and this is an area i expect

you'll need to spend a fair bit of time and study and memorization before you take the exam it's certainly a frequent

source of questions from exam candidates this is my 2022 approach to security models in an effort to answer some of

those questions proactively so i hope it's helpful we'll start with the million dollar question what is a

security model well security models are used to determine how security will be implemented what subjects can access the

system and what objects they will have access to so remembering that subjects think of

those as the people and objects as the resources they will access and where do security models fit in the

big picture well they are a way to formalize security policy as you see in the visualization

to the right there they're typically implemented by enforcing integrity

confidentiality or other controls so you'll see these models focus on one of those three typically

and each of these models lays out broad guidelines they're not specific in nature

it's up to the developer to decide how these models will be used and integrated into specific designs as you can see in

the visualization on the right so to state it another way briefly here

what is the purpose of the security model it provides a way for designers to map abstract statements into a security

policy again it determines how security will be implemented what subjects can access the

system and what objects what resources they will have access to so the state machine model

describes a system that is always secure no matter what state it's in it's based on the computer science

definition of a finite state machine a state is a snapshot of a system at a specific

moment in time all state transitions must be evaluated and if each possible state transition

results in another secure state the system can be called a secure state machine

an information flow model focuses on the flow of information and information flow models are based on

a state machine model so biba and bellapadula are both information flow models these are two

security models we'll talk about in just a moment below padula focuses on preventing

information flow from a high security level to a low security level whereas biba

focuses on flow in the opposite direction from low to high you'll find that biba and bella padula are opposite

in their characteristics in a couple of respects the non-interference model is loosely

based on the information flow model it's concerned with how actions of a subject at a higher security level affect the

system state or the actions of a subject at a lower security level

it ensures that the actions of different objects and subjects aren't seen by and don't interfere with other objects and

subjects on the same system and a lattice-based model is based on the interaction between any combination

of objects like resources computers and applications and subjects such as individuals groups

or organizations lattice-based models are used to define the levels of security that an object

may have and a subject may have access to and you'll see lattice-based models in

bella padula and biba which we'll touch on in just a moment so three properties that will be

mentioned repeatedly when talking about security models are the simple security property which

describes rules for read operations the star security property which describes rules for right

and the invocation property which are rules around invocations calls such as calls to subjects

i mentioned security models are focused on enforcing integrity confidentiality or other control so

let's break these models out into the appropriate category based on their focus to make them a little easier to

remember so we have biba which is built on the state machine concept it's an

information flow model and it focuses on flow from low to high you'll hear the phrase no read down no write up

associated with biba more on that in a moment the clark wilson model which features

the access control triple go gwen massigure the non-interference model

and the sutherland model which is also focused on preventing interference and based in information flow and the state

machine concept bel la padula which falls into the confidentiality category

and it's focused on flow in the opposite direction of biba with bellapadula we're focused on flow from high to low and

you'll hear the phrase no read up no write down with bellapadula we have brewer and nash this model is also

referred to as the chinese wall take grant a model that employs a directed graph

and bel la pajula is a model used in government circles most of the rest of these models are used in

the commercial space so another difference you can park in the back of your mind and with clark wilson you see

i mentioned the access control triple that's the defining characteristic there so if you see a question on the exam

that mentions the access control triple you're going to know that it's definitely clerk wilson

so bel la padula mentioned this is based on the state machine model it enforces confidentiality

it uses mandatory access control to enforce the dod multi-level security policy

so government again the simple security property which is the read property the subject cannot

read data at a higher level of classification that is the no read up and the star property remember is the

right property a subject cannot write info to the lower level of classification so

no write down so in a

sensitive information scenario a worker cannot read data at a higher level of classification nor can they

down classify data by writing it down to a lower level this is lattice-based multi-level

security policy so another way to look at bellapadula i'm just going to give you a visual

memory anchor here no read up no write down i had a student give me a mnemonic they used to remember this no running

under nets with dingoes if that helps you have at it

so bel la padula if we just look at it in another way here i'm looking at information classifications from

unclassified at the lowest level of sensitivity to top secret at the highest level of sensitivity we have our read

and our right property so the subject cannot read classifications

uh cannot read information at higher classification so that's no read up and they cannot write data into a lower

classification so no write down it's enforcing confidentiality biba

is another lattice-based model developed to address concerns of integrity so the simple integrity property the

subject at one level of integrity is not permitted to read an object of lower integrity so no read down that is the

read property then the star property which is the right the object

at one level of integrity is not allowed to write to an object of higher integrity so no

write up and the invocation property prohibits the subject at one level of integrity

from invoking a subject at a higher level of integrity

so remember the simple property is read the star property is right using the same visualization we used for

bel la padula with biba the subject cannot read lower classifications no read down and the

subject cannot write data to higher classifications no write up so biba focuses on the flow

of low to high so clark wilson is a model that uses security labels to grant access to

objects constrained data items in the clark wilson model are any data item whose

integrity is protected by the security model an unconstrained data item is not controlled by the model

an integrity verification procedure is one that scans data items and confirms their integrity

and transformational procedures are the only procedures that are allowed to modify

a constrained data item i mentioned clark wilson features the access control triple which you'll see

in the ninth edition of the official study guide is now termed the access control triplet updated language for the

same concept no worries there so this features the concept of an authenticated principle a user think a

subject and then a program that's our transformational procedure in this

example the only procedure allowed to modify a

constrained data item and then we have our data items the unconstrained data items and the constrained data items

think of those as the the object so the access control triplet refers to that relationship

between an authenticated principle the set of programs the transformational procedures

that can operate on a set of data items the cdis and udis the constrained and

unconstrained data items touching on a few other models here we have the take grant model which i

mentioned is a confidentiality based model it supports four basic operations take grant create and revoke

the brewer and nash model the chinese wall it's called that was developed to prevent conflict of interest problems it

is confidentiality based the graham denning model which uses a formal set of protection rules for which

each object has an owner and a controller now it's focused on the secure creation

and deletion of both subjects and objects and it's a collection of eight primary

protection rules or actions that define the boundaries of certain actions remember i mentioned models focus on

integrity confidentiality or other controls those eight rules of graham denning

revolve around secure creation and deletion of objects and subjects those are our first four rules and

the second four of the eight are about securely providing access rights read

grant delete and transfer of access rights all right

so security mode so it starts with dedicated mode so security clearance permits access to

all information processed by a system approval for all and valid need to know for all so that's dedicated mode all all

right access approval and need to know multi-level mode on the other hand can process information at different

levels even when all system users don't have the required security clearance to access all

information processed by the system so there are some distinctions there so the key there is when when all users

don't have the required security clearance multi-level mode can be very useful

system high mode requires that each user have valid security clearance access approval

for all information processed by the system and valid need to know for at least some of the info on the system

this this offers of all the models this offers the most granular control over resources

and users and then there's compartmented mode which goes one step further than system

high and in compartmented mode each user has to have valid security clearance and access approval for all

info based processed by the system but it also requires valid need to know for all info so that's how compartmented

varies from system high is that it requires valid need to know for all info as opposed to uh to only some

so so before it gets away from me let's talk about the uh the state machine model uh which i said those security

models that we talked about a minute ago are based on so a state machine model describes a system that's always secure

no matter what state it's in so it's based on the computer science definition of a finite state machine

so a state is a snapshot of a system at a specific moment in time and all your state transitions the transition from

one state to another has to be evaluated like the transition from onto off for example

but if each possible state transition results in another secure state then a

system can be called a secure state machine so that's the key

and an information flow model focuses on the flow of information information flow models are actually

based on a state machine model so biba and bellapadula are both in both information flow models remember they

were looking at no read up no write down they're talking about the flow of information in read and write to

simplify that bill la padula in preventing information flow from a high security level to a low security level

right remember it was no right down and

biba focuses on flow from low to high remember no write up so so bella

padula focuses on enforces confidentiality biba focuses on integrity integrity

all right trusted computing base you're going to expect it to be able to define a trusted computing base which is a

combination of hardware software and controls that work together to form a trusted base

to inform your security policy it's a subset of a complete information system it's it's the portion that can be

trusted to enforce your security policy to to always adhere to your security rules now security perimeter is another

topic that may come up on the exam you'll be expected to know what that is a security perimeter is an imaginary

boundary that separates the the trusted computing base from the rest of the system from from the

not secure parts of the the system so a trusted computing base has to create secure channels trusted

paths to communicate with the rest of the system and then it protects users from

compromise essentially so reference model and security kernel two two concepts that will come up on

the exam potentially as well so the reference model reference monitor rather is the logical part of the trusted

uh computing base that confirms whether a subject has the right to use a resource

prior to granting access and the security kernel is a collection of

trusted computing based components that implement functionality of the reference monitor so security kernel implements

access control and ref reference model enforces it generally basically if we boil it down

hopefully that helps kind of solidify that a little more simply than what uh what the official text will tell you

so domain three includes some drill down on three sets of evaluation criteria

designed to evaluate uh the security criteria around systems and products the first of these is iso iec

15408 also known as the common criteria this was established to enable objective evaluation around a product or a system

based on a defined set of security requirements okay this is really the gold standard so you're also going to

see mentioned trusted computer system evaluation criteria which is an earlier system for

evaluating computer security and then you'll also see information technology security evaluation criteria which was

actually an attempt uh to create a security evaluation standard in europe basically though the common criteria has

replaced both uh the trusted computer and information technology standards there so tc sec and

itsec have been supplanted by common criteria so that's where you're going to want to put your focus you can't forget

about these other two entirely i'll explain why in a moment first though i want to drill down and break down common

criteria for you just a bit i want to give you a quick visual of common criteria as a process so it starts with

a description of the assets that we need to evaluate and then identifying the threats to

those assets the potential threats and then analyzing and rating those threats quantifying prioritizing

and based on the output of those first three steps then determining what our security objectives are for the for the

situation for the product or the the the system that we're dealing with and ultimately establishing our functional

requirements so really what you have here amounts to a five step process

that you could then repeat and refine as necessary so you're making some assumptions establishing security

policies based on the assets you're dealing with and the threats to those assets

you're performing some risk analysis and then

establishing your objectives based on on the system you're evaluating in the environment that it's going to operate

and there are actually two flavors of common criteria there's the community protection profile or cpp

which i think you're going to see a little less on on the exam it comes with it's a black box system that comes with

pre-defined requirements or or let's call them standardized sets of requirements where whereas the eal the

white box flavor allows for greater scope and flexibility in defining the the set of claims now the the study

guide says that you will need to be prepared to list the classes of tc sec itsec and

common criteria so these are the the levels of each of those systems now remembering that tc second itsec are

legacy right they've been supplanted they've been replaced by common criteria uh the official study guide calls out

the evaluation assurance level the uh the eal the white box uh version of uh of the levels and they're listed for you

here and i'm also going to put them for you here with a tighter description

according to the common criteria from eal0 up to eal7 with eal7 being the

more mature end of the scale so so as i mentioned you

it's called out that you should be prepared to lift the levels within these three

different standards for evaluation criteria but if i were going to prioritize my effort i'd

be looking at common criteria as the current standard

covert channels you'll be expected to know what a covert channel is so a covert channel is a method used to pass

information over a path that's not normally used for communication

and because it's not normally used it may not it may not be protected by the system's normal security controls uh so

for example steganography uh the the the process of transmitting information embedded in a

photograph basically a way to to covertly pass information through a seemingly benign object

but but it's not normally used it may not be protected by the system's normal security controls as in the case of

steganography right there's two types of covert channels there's covert timing and covert

storage so timing channels are based on on the time it takes to access certain

components like systems paging rate uh the time a certain transaction takes to execute or the time it takes to get

access to a shared bus and the storage channel occurs when out-of-band data is stored

in a message so icmp that what's used for ping that protocol will sometimes have some extra information in the

packets which will tell us something about the identity of the target operating system so an

attacker can use that that extra information covert channels are difficult to detect

because it's outside normal communication channels so trusted platform module so this is a

chip that resides on the motherboard of a device it's really commonly used in the windows operating system in linux as

well for that matter it's multi-purpose it's it's like storage and management for keys used for for disk encryption

for example but it provides the operating system with access to keys but prevents

component removal and access essentially but but the tpm is a chip and you're going to find it in all your modern

laptops these days so let's talk about types of access control starting with mandatory access control and this is a

policy that's determined by the system not the owner so there is a mandatory uh

access control system in place that the the user cannot that the object owner can't define and

it relies on classification labels that are representative of security domains discretionary access control allows the

owner or creator of an object to control access at their discretion that's how you remember discretionary access

control access control is at the discretion of the owner or creator

non-discrete non-discretionary access control enables enforcement of system-wide

restrictions that override object

specific access control and rule-based access control defines specific functions

for access to requested objects specific functions or rules for access so remember discretionary is at the

discretion of the owner creator non-discretionary is system wide and mandatory is determined by the system

not the owner so role based access controller are back as you're often going to hear it called

this uses a well-defined collection of named job roles to endow someone with specific

permissions for example in the cloud in microsoft azure we have a global administrator who has

access to everything we have an access administrator that role can handle issues with relation to access there is

a security reader role that has permission to read security information throughout the

system so role-based access control is is something you'll hear out there frequently and it'll it'll have a role

that you can then assign users or groups to quite typically if you think about it in the windows context so back to

mandatory access control your your mac models are going to work on one of three environment types classifications

you've got a hierarchical environment where where the labels are assigned in an ordered structure from low to to high

security low to medium to high you have compartmentalized which requires specific security clearances over

compartments or domains instead of objects and then you have

the hybrid environment which which combines hierarchical and compartmentalized so

the security levels you have security levels and within those levels you have sub compartments so that's going to be

the most granular and and flexible of the three a key point about the mac model though

is that every object and every subject has one or more labels classification labels they're

predefined and the system determines access based on on the assigned labels so let's talk about

just a few terms here so certification this is the the technical evaluation of each part of a computer assist a

computer system to assess its concordance with security standards that's the official definition what the

heck does concordance mean well it really means uh

agreement or alignment or compliance with with security standards and then accreditation is the process of formal

acceptance of certified configuration from a designated authority it's one thing to have a

a certified you know technical compliance accreditation is where a governing body

then certifies that configuration an open system these are designed using industry standards are usually easy to

integrate with other open systems and and and then you have by comparison a closed system that's generally

proprietary hardware or software and with these they're kind of black box their specs

aren't normally published they're going to be harder to integrate because they are

what we'd call a black box they're proprietary and secret uh to a degree

so techniques for ensuring cia what do i mean by cia no i'm not i'm not

talking about the cia the government cia i'm talking about the cia triad confidentiality integrity and

availability so confinement restricts a process to reading from and

writing to certain memory locations bounds are the limits of memory a process can't exceed

when reading or writing and isolation is the mode a process runs in when it's confined

through the use of memory bounds so so definitely know the definitions for confinement bounds and and isolation

because these are all techniques for for ensuring cia so let's talk about authentication

factor so with multi-factor authentication you can have something you know like a

pin or a password something you have like a trusted device it's quite common in in secure

environments that you have to to authenticate with something you know and you have to be attempting to

authenticate from a device that is trusted it's known to not be compromised it complies with the organization's

standards then something you are like biometric like windows hello does face scanning

when you when you go to secure data centers many times there's a biometric

mechanism like a retina scan or maybe even a fingerprint

authentic this is authentication and authorization so authentication often is the process of proving that you are who

you say you are then authorization is the act of granting

an authenticated party permission to do something so that's identity

and access control if i were to say it another way so permissions rights and privileges are

granted to users based on their identity and if a user has rights to a resource they're granted

authorization that's that's basically authenticity and authentication can be achieved with

both the metrics and an asymmetric cryptosystems but you know whether it's symmetric or asymmetric will will also

factor in on the uh you know how secure it is and the speed right and how scalable

okay so a few terms around multi x here so multitasking this is

simultaneous execution of more than one application on a computer and it's managed by the operating system so i can

run multiple applications on windows or on my mobile phone multi-threading permits multiple concurrent tasks to be

performed within a single process so multi-threading gives me multiple threads within within a process

so multiple concurrent tasks is the key to remember in multi-threading then there's multi-processing which is

the use of more than one processor to increase computing power pretty much everything i can think of

in terms of standards you know desktop and and laptop computing devices now uh have long supported more than one

processor and then in uh the mainframe world we have something called multi-programming it's

similar to multi-tasking but it takes place on mainframe systems and requires some specific programming

so think about multi-programming as multitasking for mainframe that's the the bottom line there

so single state and multi-state processor pretty pretty simple single state processors are capable of

operating only one security level at a time and multi-state can operate at multiple levels

of security okay processor operating modes there's user mode which is where applications

operate with limited instruction sets uh so these are going to be your ordinary

end user operations typically and then privileged mode are where it's known as system mode or kernel mode

or sometimes supervisory mode but this is where controlled

secure privileged operations occur so it's often going to be a protected area in terms of of memory under processor

and storage access but but think controlled operations i think of user as end user

operations and privileged as system or administrator operations you'll want to be familiar with these

memory types and the differences between them for the exam so we have read only memory or rom where the contents are

burned in at the factory it's not writable we have two flavors of ram static ram

which uses flip-flops dynamic ram which uses capacitors we have programmable rom it's similar to

rom with several subtypes we'll take a look at here so we have erasable prom we're erasing that read-only memory is

possible we then have two sub-categories of eprom which are uv e-prom and eeprom so we

have ultraviolet eeprom where the chips have a small window that when illuminated

with a special ultraviolet light it will erase the contents and then there is electronically

erasable prom where we use electric voltages to force erasure

and flash memory which is a derivative concept from eeprom it's non-volatile and can be electronically erased

and rewritten so uh security issues with storage so primary storage is is the same as memory

the primary classification secondary storage consists of magnetic flash and optimal media that

first has to be read into primary memory before the cpu can use the data and then random access storage devices

can be read at any any point in time and sequential access storage requires scanning through all the data physically

stored before uh the desired location so you have to access all the data in order so

sequential would be difficult uh to leverage in some circumstances

uh three main security issues around secondary storage so not memory right removable media can be used to steal

data i can plug a usb key into a computer copy some data and walk out the door right

so we have to to secure that channel of moving data access controls and encryption have to

be applied to protect data right we have to apply uh you know some sort of limitation of access role-based access

control for example and data can remain on the media even after file deletion or media formatting

what i just mentioned right that when you delete the file you're not always deleting the file i can use forensic

means to to find that data after you've deleted it so so you want to

to be very aware of that input and output devices so so input and output devices are going to be subject

to eavesdropping and tapping so so think back to phone systems you know uh tapping a phone

used to be a common um you know mechanism for for uh breaching

security of voice conversations a network connection a network cable can be tapped

as well we can tap directly into a cable with something called a vampire tap so so eavesdropping and tapping are used to

smuggle data out of an organization so you have to be careful about

securing entry points into your environment this is really where physical security starts to come into

play we have to secure the wiring closet for example and we'll talk about securing a wiring

closet in a bit uh so the purpose of firmware you'll be expected to know what firmware actually does it's basically a

software that's stored on a read-only memory chip and it contains basic instructions needed to start a computer

or a peripheral device like a printer so vulnerability threats counter measures let's talk about uh processes

so process isolation uh ensures that individual processes can only access their own data so so one process can't

read from another you can imagine if an attacker knew they could read other processes that would be

an interesting channel for them to pursue layering creates different security realms within a process and

limits communication between them and then abstraction creates a black box interface for programmers to use without

knowledge of the devices interworking so you'd see abstraction in a proprietary system

and then data hiding prevents information from being read at a different security level so

hardware segmentation enforces process isolation uh with physical security controls but it prevents information

data hiding prevents information from being read from a different security level so so that's the key to remember

there so the role of security policy so the the role of a security policy is to

inform and guide the design development implementation testing and maintenance of a particular system so so we start

for example with our organization security policy and that gives us the rules that we need to adhere to in in

designing and implementing a solution to solve a problem that gives us the the security standards

by which we go it may be the organization it could be a governing body in the case of a regulated

environment you know pci dss for example lays out policy related to handling credit card data for

example cloud computing you'll be expected to know what cloud computing is right so

this is where where processing and storage is performed somewhere else over a network connection rather than locally

so so really commonly you can think azure amazon and google cloud which which you know have their own data

centers that you can rent time in you know you pay as you pay for what you use essentially and and

sensitive and confidential data can be at risk if the cloud provider and their personnel don't adhere to the same

security standards as your organization i tend to think with the major cloud providers it's actually more secure and

and all three of these providers are going to give you some way to see the security standards to which they are

they adhere and for which they are certified azure last i looked as the most certified in terms of the various

standards they adhere to i'm a big believer that that in the cloud the major providers these days do it better

than the average i.t department can do in their own data center i think the cloud's come a long way in that respect

hypervisors you'll expect it to be known to know that what a hypervisor is and the two types so so

there's a type one hypervisor which is a native or bare metal hypervisor so you can think of of

um an esxi server from vmware that basically there's no operating system

you're logging into and using and then launching virtual machines it's just bare metal running vms that's its sole

purpose uh hyper-v uh has has a type one hypervisor option as well and then there's a type

2 hypervisor which is a hosted hypervisor so a couple of things you could think about

here would be well on windows 10 for example you can light up the hyper-v feature and you can in the windows 10

gui you know create and launch virtual machines that would be kind of a type 2

scenario other type 2 hypervisors uh oracle virtualbox

vmware workstation you know where you've got a gui and then you can then go in and mess with your your virtual machines

a casby a cloud access security broker so this is a security policy enforcement solution that can be installed on

premises or in cloud so so casby's haven't been around that long you'll often hear casby's mentioned uh with the

phrase shadow i.t because we can use casbi's to enforce security policies to ensure

that only secure applications are used in our environment and that our data is not stored in unauthorized repositories

so we can we can make sure that if we're using cloud storage that it's only

approved or sanctioned storage locations security is a service basically a cloud

provider concept where security is provided to an organization through or by an online entity and there are many

flavors of of security as a service there are many services that you can acquire in

the cloud to protect information identities uh security information event management systems which can can do some

centralized processing of your environment so really just think of of security as a service as outsourcing the

security function smart devices so so smart devices are typically mobile devices that offer

customization options you know often through installing apps and they might use you know

technology on the device or in the cloud you know hey the ai can be local or it can be cloud based

uh internet of things so that's a class of devices connected to the internet you'd be familiar with the internet of

things you know that that can include all the devices in your home automation automation your uh your home assistant

like google or alexa uh or or siri for example um

or or a car connected to the internet right so there are billions of devices that fall into the world of internet of

things or iot it's called so be basically familiar with what internet of things refers to

so mobile device and mobile app security this is a big space you'll need to know some of the basics here so so a range of

potential security features available to a mobile device could include encrypting the device uh which

is very common with both ios and android uh remote wiping a device and and typically you can

wipe just business data you can do what they call a selective wipe with with the right management software so you can

wipe just the business data off a device locking screens requiring pins gps controlling which applications access

which types of data which leads me to the reality here that mobile application security is also

pretty important and likely to come up on any any

question around mobile devices so these are applications that need to be secured

um and and could be related to securing uh you know through credentials uh application whitelisting etc and in

the world of of you know enterprise computing byod bring your own devices really popular in large companies and

that's a policy that allows employees to use their own personal device to access business information and

resources you know this this tends to make people happier but it increases our security risk

because we have to put some boundaries around what type of device they can bring

and what applications they can use to access our corporate data so that's going that's where where device security

and mobile application security factor in and your major

platforms nowadays major mobile device management platforms nowadays give us the ability to manage

the device and to manage applications on devices that we cannot fully control

mdms would include things like microsoft intune airwatch mobileiron quite quite a few quite a few

mobile device management platforms out there intune and airwatcher two that come to mind that give us the the

capabilities we're talking about here so let's talk about embedded systems and static environments so an embedded

system is typically designed around a limited set of specific functions

in relation to a larger product for which it's a component lots of devices that fall into this

category motion sensors lighting systems cache registers digital signature pads wi-fi routers

then static environments are applications uh oss hardware sets or networks that

are configured for a specific need capability or function and they're they're set to remain

unaltered uh you know change is reality in this world but uh they're set they mean set to remain unaltered even

uh through interaction with with people with users and administrators and both of these need to be managed and

managing these you can use network segmentation security layers firewalls manual updates controlling your firmware

versions you know any any sort of wrappers around these but just understand the basic definitions i

don't expect to see a lot of focus on this on the exam but just fyi privilege and accountability so there's the

principle of least privilege this is a foundational component of secure computing

and and separation of privilege so so least privilege ensures that only a minimum number of processes are

authorized to run in in supervisory mode this also factors in

when we grant people role-based access control the principle least privilege means we give someone for the

permissions they need to do their job and no more and separation of privilege increases

the granularity of secure operations by separating the privileged operations any one entity can perform be that a system

or a person so so we sometimes call that in the world of people we call that role separation

you know maybe the same person can't establish permissions who then administers the system somebody else

grants permissions they grant they are the access administrator and then somebody else performs the technical

functions of the system administrator so so accountability ensures that through all of this an audit trail

exists so we can trace operations back to their source so if permissions are granted at a higher level for someone we

know who or what did that and and if we don't have proper you know separation of privilege there's an audit

trail that shows us where one person maybe was was temporarily granted elevated privileges performed multiple

operations that broke our separation of privilege clause and and moved on

okay common flaws and vulnerabilities we have the buffer overflow and this this occurs

when a programmer fails to check the size of of input data prior to writing data to a specific memory location so if

we don't if if software is poorly written and it doesn't check the size of the data it can potentially

overwrite the bounds of memory to for which it's been granted access and potentially

overwrite more important or other important data which can cause

a system to to malfunction in a number of ways including crash you know back in the

early days of computing you know buffer overflows were really common in addition to buffer overflows programmers can

leave backdoors and privileged programs on a system after it's deployed that's that's where we have to to employ

security um you know policies and and standards to and and tooling to ensure that we we

catch anything installed on a system that shouldn't be there

uh even and even well-written systems can be susceptible to what we call time of check to time a use attack so any

any state change presents an opportunity for an attacker to compromise a system so if i if i

you know get uh credentials at one time you know credentials captured at one time used it

as a at another uh can can factor for example in a replay i think i think

of a replay attack as as something i can relate to this because in a replay attack i capture credentials and then i

attempt to reuse those credentials at a later time so so i think of that as kind of an equivalent

concept to time a check time of use the functional order of security controls may come up on the exam and

you'll want to know these in order so it starts with deterrence our

security controls should deter or discourage any malicious or negative activity and if deterrence

fails then our control should deny that activity if denial

fails then our controls should detect that activity and allow us to track that activity as it

occurs and finally it should also help serve to

delay the progress of that activity now in 2021 we saw this language evolve just a

bit so i saw those terms

simplified a bit to deter deny detect and delay and we also saw

two additional controls added to the functional order and you see them there determine and

decide so determine the cause of the incident or assess the situation to understand what is occurring

and decide on the response to implement such as apprehending the intruder or collecting evidence for further

investigation now we're going to dive into a wide range of material around physical

security and this is super important because it's an area that many it folks haven't spent a lot of time with so

physical security controls can be divided into three groups administrative logical also known as

technical if you see technical controls or logical controls two ways to say the same thing

and and physical controls now i have some listed here i want to break these out in a way that's easier for you to

memorize so let's start with the logical controls the technical control so these will be

items like access controls intrusion detection alarms uh closed circuit tv and monitoring hvac systems in your data

centers power supplies fire detection and suppression and we'll dig into some of these

into some of these individual areas uh momentarily here so administrative controls

are more focused on policies and procedures facility construction facility selection

picking the right site uh site management having proper procedures for managing your site uh

personnel controls employee policies security awareness training emergency response

and then within emergency response having emergency procedures you know laid out at the step-by-step level so

administrative controls can be wide-ranging and then physical controls for physical security

are exactly what they sound like this will be things like fences lights locks construction materials

man traps to allow only one person in at a time bollards to keep someone from driving up on a facility

uh dogs guards quite quite a few options there but but remember for the exam there's no

security without physical security without control over the physical environment

uh no amount of administrative or or technology is going to provide adequate security

security that's bottom line if a malicious person can gain access to your facility or your equipment

like your wiring closet they can do just about anything they want from you know destroying equipment

outright to disclosing or changing configurations in a way that may be difficult for you to recover from

so in terms of physical security controls uh no no your fences so so three to four feet for example decor

deters a casual trespasser if you're trying to deal with serious intruders eight feet with barbed wire

uh temperature understand that temperatures for computers uh 60 to 75 degrees fahrenheit in the ideal range

that's 15 to 23 celsius computer damage at 175 fahrenheit storage device damage at 100 and your ideal humidity

is 40 to 60 percent there there are negative consequences on both sides of that which i'll talk about in just a

moment electrical impacts know the difference between a blackout a brownout fault

surge spike sag uh and i've labeled them here to to the degree uh that they will differentiate

enough for you to remember for the exam so a blackout is prolonged loss of power where brownout for example is just

prolonged low voltage where your your electricity is not consistent and clean so remember these six

for sure uh light know that uh lights eight feet high with two feet of candle power is the uh

the uh the magic and the are the magic numbers for security controls okay humidity and static so so

when we're dealing with humidity too much humidity if we get much over percent we can get to a situation where

we have uh condensation that can cause corrosion uh your condensation is going to be bad

for for uh equipment right and too little humidity causes static electricity even

on a non-static carpet low humidity can generate a 20 000 volt static discharge which

which is enough to damage just about any sort of equipment

let's talk about fire suppression agents we're going to go from class a to class d so class a are going to be your common

combustibles like wooden paper and these can be extinguished with water or soda acid

uh class b boil and you notice i have um the the acronyms there so ash boil so

class b boil these are burning burning alcohol oil and other petroleum products like gasoline these are

extinguishing with with gas or soda acid you should never use water on a class b fire

period class c these are electrical fires that are fed by the electricity that started

them so electrical fires are conductive fires and and the agent

has to be non-conductive i mean meaning it cannot conduct electricity like any type of gas and incidentally when you

disconnect the power source the electrical fire then becomes another class of fire based on what what is

burning so when we remove the power source it becomes a class a b or d fire

uh and then cla but any type of gas is good for electrical fire because we need something that doesn't conduct

electricity you know water would be catastrophic for example uh class d

these fires are burning metals and they're extinguished with

dry powder uh you know when you get into the into these odd classes of fire like

classy these are scary because these are you're putting these out are not going to be common knowledge your

organization has to be prepared for these right

class k is a kitchen fire that's going to be like burning oil or grease your wet chemicals are used

to extinguish class k fires i'm not convinced you'll see anything

about kitchen fires on the exam i put it on there just in case uh you know offices have kitchens

right so worth worth mentioning i think there are three categories of fire detection

though they include smoke sensing flame sensing and heat sensing so know your three categories of fire detection

as well uh fire extinguisher classes and suppression agents in a table here if you want to

memorize these with a bit less detail there's just a table that very comes out for you a little more cleanly

voltage and noise so you have two types of electromagnetic interference you have common mode noise which is generated by

the difference in power between the hot and the ground wires of a power source and then you have traverse mode noise

which is generated by the the difference in the hot and the neutral wire so that's that's the key

the key differentiators between the two that i would memorize and and radio frequency or rfi interference is

generated by you know electrical appliances light sources you know cable circuits etc really

any anything you know running on electricity right voltage i mentioned static voltage

earlier here are some common levels of static thresholds of static voltage uh damage you should you should probably be

uh familiar with this this isn't the first thing i'd memorize but if you can if you can park these these voltage

levels in your head uh it's worth doing right so damage from from fire suppression itself so the destructive

elements of a fire include smoke and heat but also the suppression medium so like like water or soda acid you know

what we're using to suppress the fire can cause damage so smoke is damaging to you to most of your storage devices

heat can damage you know any electronic or computer component uh suppression mediums can cause a

variety of problems short circuits they can initiate corrosion uh or or otherwise just render equipment

useless you might put the fire out and and really you know the suppression medium might be so so damaging that you

know really all you're saving is human life because at the end of the day that's the most important thing

right so all of these issues have to be addressed when designing a fire response system but at the end of the day the

number one concern is always going to be human safety so if you are faced with any sort of choose the best

answer if uh or the most important you have human safety is always going to be the

top of the list so water suppression systems so so pre-action systems use close sprinkler

heads and the pipe is charged with compressed air instead of water uh the water's held held in check by

electronically operated sprinkler valves and the compressed air these are going to be good for areas with people and

computers wet pipe systems are filled with water um

dry pipe systems are you know contain compressed gas dry pipe systems also have close sprinkler heads the

difference is the pipes are filled with compressed air not water the water is held back by a valve that remains closed

as long as there's enough air pressure in the pipe so this is used in areas a lot of times where

water might might freeze like like parking garages dailer systems are pretty similar to dry

pipe systems except the sprinkler heads are open and they're larger than dry pipe heads that's why you get a deluge a

large amount the pipes are empty at normal air pressure the water is held back by a deluge valve

but but the sprinkler heads are going to be larger which means they can they can disperse more water more quickly

but also remember you know just as oil and water don't mix water and electricity do not mix right so that's

always that's always an an easy answer when you're thinking about those classes of fire you know

elec electrical in particular you know we know we're not going to use anything that conducts electricity which would

include water uh gas discharge so gas disc discharge systems tend to be more effective

than water systems but they shouldn't be used in environments where people are located

because gas discharge systems work by removing oxygen from the air so so gas discharge and people don't mix

okay uh halon is effective it's bad for the environment though it's ozone depleting

and and it turns to toxic gas at 900 fahrenheit note to self and suitable replacements um

a number of suitable replacements here argon energen arrow k so so there's a list here um

do your best to memorize this this this is down in the nooks and crannies i'm not sure how

uh how detailed a question would ever get to to get down to these levels but know that the halon is effective as a

gas system but it's bad for the environment so other gases would be suitable replacements

for that reason so lock types you've got electronic combination locks which would like a cipher lock that's something you

know key card systems which would be something you have the key card in your

hand right biometric system something you are like a retina scan a fingerprint scanner

uh conventional locks you know where we use a key so those are easily picked or bumped and keys can be duplicated right

conventional locks are going to be the least secure of the lot often pick and bump

resistant locks are expensive but they make it harder to pick and keys aren't as easily

duplicated so if you're going to go with conventional locks the the pick and bump resistant locks

are are better so for the exam now remember that locks can be picked and which need to be bumped remember how

lights and fences need how high lights and fences need to be right so we said lights eight feet

to uh candle power two and fences need to be eight feet to deter

serious intruders right know the difference the different physical controls related

to entry and i want to just mention a couple here so this is a man trap in case you've never seen it somebody

mentioned out in one of the the public forums that they got a question on on not a man trap but i wanted to show you

that in case you don't know what a man trap is you see basically the door opens one person can go in and then when

they're cleared the door on the other side opens and then a bollard bollards are these poles you'll see

these in front of office buildings these they show up in front of even grocery stores

and prevent somebody from driving into a facility that's what a baller does so just in case you've never seen them

now you've seen them so site selection and facility design so know the key elements in site selection and facility

design so for for site selection visibility is important uh composition of the surrounding area how accessible

is the area and what are the effects of natural disaster so in terms of visibility can i see threats coming

right um are there are there

elements in the surrounding area that could hurt me do i am i building a building next to a cliff where rocks

could fall um if i have a natural disaster you know am i am i building you know near the

edge of a riverbank and an earthquake you know causes our building to fall into the water we need to think about

all those those elements in in site selection and for facility design we need to think about the level of

security that our organization requires and planning for that before we begin

construction because we have to deal with a variety of factors when it comes to physical security right we have to

have controls for entry we can think about those things like ballers to prevent people from driving into a

facility if if driving into a facility would be a desirable way to to

breach our our site um know how to design and configure secure

work areas so there shouldn't be equal access to all locations within a facility which you probably know so

areas with the high value assets require restricted access and your

valuable assets your confidential assets they should be located at the heart or or the center of protection provided by

the facility there should be layers of of you know access controls and preventative measures in place so so

send and centralize server or computer rooms don't necessarily need to be human compatible because they're they're meant

to house server or computer rooms which means they're their temperatures are going to be optimized for computers the

the materials are going to be optimized for computers there's a certain level of human safety because people have to go

in there at some some level right but the fire suppression for example is going to be optimized to putting out uh

electrical fires not not fires that happen in a kitchen right uh and and a lot of times those those

you know fire fire suppression systems in a computer room assume that the doors are locked or will even kick off a

procedure that automatically locks the door so when the system goes off people are not present

and and you know put in harm's way threats to physical access control so no matter which physical access control is

used a security guard or a monitoring system needs to be deployed to prevent abuses of the controls like propping

open secure doors and and bypassing locks uh masquerading using somebody else's security id to gain an entry to a

facility see this all the time with uh with folks that have vendors on site for the day they'll just lend their card to

a vendor that wants to go uh for a smoke break or something you know then potentially giving them access

to a server room so you have to watch that sort of thing and then piggybacking which is following someone through a

secured gator doorway without being identified or authorized so somebody else swipes a badge for example opens

the door and then the the person piggybacking just catches the door behind them before it closes right so so

no masquerading and piggybacking as well securing a wiring closet so no security concerns

of a wiring closet you know first and foremost preventing physical unauthorized access is going to be first

and foremost right because i can go in there and i can pull cables and cause disruptions i can potentially put a tap

in place so i can eavesdrop on your uh your communications lot lots of negative there but with with

the wiring closet secure physical security first and foremost everything else is going to be secondary because

once i'm in the closet there's little you can do right

uh understand how to handle visitors in a secure facility so so if a facility employs restricted areas to control

physical security there needs to be a mechanism to handle visitors so so maybe an escort is assigned to visitors and

their activities are monitored they have to they have to have somebody accompanying them you may have a badge

on them that says your visitor requires escort uh tracking actions of outsiders when

they're granted access to prevent malicious activity is is going to be key for most protected

assets there needs to be you know deterrence and and uh

you know some some sort of denial and certainly an audit trail of one sort or another

understand needs for media storage as well this could well come up on the exam and this feels less relevant you know in

in 2021 but uh you know media storage facilities folks still do use tape out there it's

not not unheard of and we do have you know all sorts of storage devices so media storage facilities have to be

designed to securely store you know blank reusable and installation media so concerns are going to include theft

corruption uh data remnant recovery so when we erase something it's not fully erased

uh so so for example like with a hard drive i said that you know just deleting data still leaves it there recoverable

by forensic means so we can we can kick off an overwrite that right overwrites the drive with ones or zeros we can use

a degaussing tool to to send a charge through and wipe a

device uh your media facility protections should include locked cabinets or safes

a librarian or a custodian that is a gate and access gate to those two said cabinets or safes

implementing a check-in or check out process which could be facilitated or

administered by a librarian or custodian for sure and using media sanitation

lots of media sanitation we have techniques out there one of the one of the simplest is shredding right we have

confidential paper documents we shred you know i mentioned degaussing that's not going to be effective for a lot of

the modern uh storage devices but uh

check check the uh the cissp official study guide try to try to

memorize some of the media sanitation i really don't think that's going to be front and center according to the skills

measured but but worth having a look at as your time allows

and let's talk about evidence storage so so when we think about evidence we need to

retrain logs drive images snapshots data sets for for internal investigations or potentially

uh you know external forensic investigations with law enforcement so protections for evidence storage include

locked cabinets or safes dedicated isolated storage facilities offline storage access restrictions and

activity tracking and hash management and encryption at the end of the day chain of custody

is important for evidence when it comes to legal proceedings we'll touch on this in a later domain

but but when it comes to evidence yeah we're trying to to at the end of the day protect that

uh chain of custody because the integrity of that evidence would be of paramount

concern audit trails and access logs very useful tools for managing

physical access control because in part you know like like at a front desk right that if we use audit

trailing if we use an access log to sign folks in that that helps it's a good deterrent control when we think about

electronic uh audit trails for privileged operation so we may need to create access logs

manually like by a security guard they can be automated with the right equipment if you've got you know

smart cards for example that folks used to log in you can also monitor

entry points with with closed circuit tv that way we can compare the audit trail with the closed circuit tv to see if

what the the the sign in log says happened actually happened if the sign in log says one

person entered but but cctv footage shows two people entering then we have a

divergence in um the recorded event

um you know why are these important well at the end of the day it's critical to

reconstructing the events of an intrusion and a breach or an attack you know whether we're talking about

physical audit trails and access logs to physical entry and exit to a building or or

electronic logs you know related to to sign in and administrative activities

in a computing system so the need for clean power so power supplied by electric companies isn't

always consistent and clean meaning it's not always at the same level and coming without spikes and and drop so we

remember we talked about the six six impacts to electrical power so most of your equipment requires clean power

in order to function properly and to potentially avoid damage um a ups uninterruptible power supply is

a type of self-charging battery that can be used to supply consistent complete power

consistent clean power to sensitive equipment um in the event of power failure so so

number one if we have a problem with the consistency of our power and we have to drop back to battery while it's it's

repaired we can do that or if power drops altogether we can supply power for minutes or hours

depending on the size of our ups and when organizations build data centers they look at a ups that can run their

entire data center for a period of hours and then we look to generators to provide power for an extended period of

time during recovery and that's what i have for domain three next on our agenda is domain four

communication and network security so let's take a look at the exam outline for domain four it starts with 4.1

implement secure design principles in network architectures 4.2 secure network components and 4.3

implement secure communication channels according to design and

the content really belies the short outline here it's a fairly short list of objectives but quite a lot

of content around network network protocols and network security technologies here

so let's take a look at what's new in domain 4 in the 2021 release of the exam so 4.1 on the syllabus is assess and

implement secure design principles in network architectures so micro segmentation is is a topic here so this

includes software-defined networks virtual extensible lans software-defined wide area networks

sd-wans they're called wireless networks will come up now satellite was mentioned at least briefly

in the 2018 version of the exam i do want to touch on li-fi and zigbee uh that could come up on the new exam and

then cellular networks i want to talk about 5g in particular and security concerns around 5g in particular you

know how 5g uh relates back to legacy versions of cellular and then we'll touch on

content distribution networks or cdns so let's start with virtual extensible land or vxlan so so this is

network virtualization that enables network segmentation at high scale specifically what this does is helps us

solve a scale limitation in vlanding where we can only create 4096 vlans versus uh in

in vxlan we can create millions of vx lands it's and and this is really a tunneling protocol that encapsulates

an ethernet frame a layer two frame in a udp packet and layer two

can generally only be attacked from within uh you know max spoofing or flooding to cause denial of service such

as by a rogue host the attack vectors are actually explained

to some degree in rfc 7348 which is the rfc where the vxlan concept

is described let's shift gears and talk about software defined network so this is an

architecture approach that enables a network to be intelligently and centrally controlled or programmed

basically using software so it has the capacity to reprogram the data plane at any time

so so use cases where we see sdn come into play are our sd lan and sd-wan so this is really

separating the control plane from the data plane and it's going to open up a number of potential security challenges

so sdn vulnerabilities can include man-in-the-middle attacks

and denial of service attack so we secure an sdn with with tls so encryption

helps essentially sd-wan so one of the use cases for for

the sdn concept that's a software-defined wide area network this enables users and branch offices to

remotely connect to an enterprise's network but what it enables is the use of a variety of network services from

mpls to cellular to broadband to securely connect users to applications and security is largely based on

on ip security vpn tunnels next-gen firewalls and and micro segmentation

of of your application traffic but sd-wan uses a centralized control function for

intelligent routing and there's a concept called secure access service edge or sas to decentralize connectivity

where necessary li-fi so light fidelity so li-fi is is a form of wireless networking that

uses modulation of of light intensity to transmit data it uses led light essentially it can safely function

in areas that are otherwise susceptible to to electromagnetic interference and

theoretically li-fi can transmit at speeds of up to 100 gigabits or higher so li-fi only requires working led

lights that's a big advantage uh you know and and then you know the

reality is visible light uh you know can't penetrate opaque walls so we can think of that as a negative for

connectivity right because a wall is a barrier uh we might on the other hand think of that as positive in

certain security scenarios because it means you know

light doesn't penetrate opaque walls so if you're outside those walls you're not a threat right

you don't hear about li-fi much today so so i think it's still in development

is a fair statement and and you know we may see lifi come into more widespread use down the road there's certainly

some some scenarios where we're using light over traditional radio would would be a

big advantage so let's talk for a moment about zigbee which is a personal area network

so this is a short range wireless pan developed to support automation machine to machine communication and and remote

control and monitoring of iot devices it supports a centralized or distributed

security model and mesh topology it does assume that symmetric keys that are used with the devices are

transmitted securely that they're encrypted in transit

you know there's a pre-configuration of a new device in which a single key might be sent

unprotected which can create a brief vulnerability so where do people use zigbee zigbee is in widespread use in

iot smart home hub scenarios so an amazon echo for example alexa your personal assistants your amazon echo

devices are are zigbee

ready so we see zigbee and widespread use in in

the in smart home scenarios but you know that can carry over into commercial scenarios into business

scenarios as well for for iot uh device monitoring and control

another new concept for 2021 comes with the rise of fifth generation cellular so 5g so 5g brings faster speeds lower

latency no longer identifying each device through a sim card

now there are some air interface threats like session hijacking

that are dealt with in 5g now there are there's a standalone version of 5g in a non-standalone

version and the the standalone version of 5g will be more secure than the non-standalone because

the non-standalone version anchors the control signal signaling of the 5g network to the 4g core so you're relying

on a legacy technology there essentially so the diameter protocol which provides

authentication authorization and accounting in in 5g will potentially be a an attack target

and because 5g has to work alongside older tech 3g and 4g specifically old vulnerabilities could be targeted

and because of the scale of endpoint counts on 5g being exponentially greater distributed

denial of service can be a concern so some some carriers some cellular carriers launched

originally launched an nsa version of 5g which continues to rely on availability of that 4g core

so that problem will go away in time so we'll close out domain four by talking about content delivery network

so a content delivery network is a geographically distributed network of proxy servers and and the data centers

they live in the goal of a cdn is fast and highly available content

delivery basically distributes the content out so it's closer to the user cdn networks that serve up javascript

have been targeted to inject malicious content into pages for sure but vendor vendors in the cdn space typically offer

ddos protection and web app firewalls a couple of common examples of content delivery networks would be for for video

and audio streaming or for software download services where you need to move

a lot of content to a user quickly for a good user experience that's where a cdn can come in really

handy because it caches that content out where it's closer to

the end user now let's take a look at the rest of domain four

for the exam you will be expected to be very familiar with the osi model so there are seven

layers here going from physical up to the application layer at seven so the physical

is typically considered layer one application layer seven i have two memory devices here two acronyms you can

use to easily remember these layers if you struggle so if we look at going up we have please

do not throw sausage pizza away and you can actually go the other direction with all people seem to need

data processing i actually like this one better because it's also relevant to the topic at hand so that

tends to make a memory device better when it's when it's relevant but those are some acronyms you can use to lock

this in you'll also be expected to be familiar with the protocols and services that happen at each layer

so just in case you don't know what these layers are i'm going to give you two charts that you can use to prepare

your foundational knowledge for the exam so here's the osi model the seven layers starting with the physical layer up to

layer seven which is the application layer and here are some protocol examples this

will show you where the protocols live in the model and not every protocol is terribly simple for example tls shows

characteristics of layer four and five but but never mind that this is going to give you a foundation

and in case you're unfamiliar here's the osi model by function starting with the physical layer layer one so the physical

layer contains the device drivers that tell the protocol how to use the hardware for transmitting data

data link is where packet formation happens the protocol data unit at the data link layer is the

frame at the network layer we're adding routing and addressing information

source and destination addresses the protocol data unit at the network layer is the packet so if you hear

any discussion of packet they're talking about the network layer the transport layer manages integrity of

a connection and controlling the session so you'll have some protocols that will re-transmit lost

packets they'll use tcp others will not worry about session and re-transmission those will

typically use udp at the session layer layer 5 we're establishing maintaining and terminating

connection sessions between computers layer 6 is transforming data received from layer 7 from the application layer

into a format that any system any protocol following the model can understand

and layer 7 is about interfacing user applications services or the operating

system with the protocol stack so that's a quick study it'll give you something to look at if you're not already

familiar with the osi model all right and common tcp udp ports uh this could

well come up on the exam you want to be familiar with the common uh protocols and not only the port but

whether it's it's tcp or udp noticing that some of these have functions on both tcp and udp so so

session oriented and session less or connection oriented and connectionless

and you'll also be expected uh to be familiar with the the tcp stack versus the osi model so

understanding where tcpip falls in relation to the osi reference model

so here's here's an approximation of of where the tcp stack falls with osi you'll need to know this for the exam so

commit that one to memory and tcp versus udp this is layer 4 this is the transport layer

and we're going to just break these out you know so how is tcp different from udp so tcp first and foremost is

connection oriented where udp is connection less tcp

functions on a byte stream so so it's it's transmitting uh at at a byte level which allows it for for re-transmission

if there are problems or edp is message stream so it's it's happening at

a different level and you might ask well why is that important well there are some conversations where getting every

bite from from source to destination is very important and getting those bytes

properly ordered there are other situations such as video streaming where there's no point in trying to

re-transmit right with with video it's it's all about just streaming uh the current video as it's playing so

so each of these has its place so udp will support multicasting and broadcasting where tcp does not

tcp supports full duplex transmission and you may ask what is full duplex

exactly well it's simultaneously bi-directional so so both source and destination can can each transmit in

both directions simultaneously where with udp we don't have that that full duplex support and if you can think

about it in the context of like video streaming for example there's not not need for bi-directional right you're

streaming from source to destination all right so going down the list reliable service of data transmission so

so unreliable doesn't necessarily mean bad but reliable means that we have we have

air checking there right there is a connection oriented process that make sure that what's sent by the source is

received by the destination essentially a tcp packet is called the segment and the udp packet

is called a datagram so if you have a question that mentions a segment you'll always know they're talking about tcp

and if it's uh if a datagram is mentioned you always know they're talking about udp

then finally you know as i mentioned you know tcp provides error detection and flow control so so that that's part of

that connection oriented nature of tcp so it's all about it's all about function as to which makes the most

sense right so when we're thinking about real time streaming for example you know udp makes perfect sense uh versus tcp

because we don't have the need to ever re-transmit when it's all about live

content so cabling types and throughput not the most exciting topic uh i'll i'll grant you but could well come up on the

exam you want to be familiar with the the max length the cable type um which is which is going to be

unshielded twisted pair so but you want you want to be familiar with the cable types the cat5 through

cat6 are the most common generally speaking you could get questions outside that but

those are going to be the most common nowadays so so udp equals unshielded twisted pair

lock that in in the back of your mind here are the cabling types for 10 base 2 through

fiber optic some of these are definitely not entirely common but could well come up

on the exam so you want to make sure that you are familiar and let's talk through the standard

network topologies there's a core four they're going to test you on there's mesh there's ring there's bus

and star so let's talk about the nature of each of these and how you identify

so starting with the the star network this employs a centralized connection device it oftentimes it's just a hub or

a switch but central is the key word here it's centralized mesh means we have all systems

connecting to all other systems using multiple paths a partial meth

partial mesh could connect many systems to many other systems but not necessarily all

but a mesh provides redundant connections that's the real advantage here it allows for multiple segment

failures without affecting end-to-end connectivity so i could have two or three or four paths go down here and

still be able to connect between all of these systems using alternate paths so that's that's

the big value prop of of mesh ring network

connects to each system as a point on a circle the connection medium acts as a

unidirectional transmission loop meaning we're going one one direction but only one one system

can transmit data at a time so that's a key here only one system can transmit data which means we are avoiding

collisions because traffic management is performed by a token and only the system with the

token can transmit so uh token ring networks are ring based so so really since we're using that token this is

collision avoidance we'd call it and finally bus so this connects each system to a trunk

or a network backbone cable all the systems on the bus can transmit data simultaneously which means we can

have collisions so collisions will not be avoided here a

collision occurs any time two systems transmit data at the same time and the signals interfere with each other so we

have to have some sort of collision detection built into the process so ethernet happens to be a bus

uh let's talk about analog versus digital for just a moment so analog

is a continuous signal that varies in frequency amplitude phase voltage and so on um

it produces a wave shape where where digital are going to be zeros and ones analog is a a wave shape so so less

precise to be sure and you know in analog that communication can become corrupted

because of of attenuation over long distances so attenuation essentially means a

reduction in the amplitude of the signal you'll see that word attenuation i just wanted to call that out in case it's not

familiar to you and over long distances in the analog world you can expect uh reduction in signal over distance now

let's juxtapose that or compare that to digital where communications occur through uh an

electrical signal and a state change just on off pulses so think zeros and ones

it's going to be more reliable than analog over long distances because we don't have that attenuation problem

because we're dealing with zeros and ones it's off or it's on it uses current voltage where voltage

represents uh voltage on is one and voltage off is is zero but it's it's all about

uh electricity at that point and these these on off pulses create a stream of binary data

that eliminates that that attenuation problem over long distances so synchronous versus asynchronous so so

some communications are synchronized with some sort of clock or timing activity so so synchronous rely on on

timing or a clock mechanism based on either an independent clock or a time stamp that's embedded in the data stream

but there's some sort of timing mechanism as the key here and they're typically able to support very high

rates of data transfer a good example of this is networking asynchronous relies on a stop and start

delimiter bit to manage the transmission of data it's best suited for smaller amounts of

data a good example of this would be public switched telephone network pstn you know modems

so know that for the exam now let's talk base

band versus broadband so baseband can support only a single communication channel it uses

direct current to the cable the higher level represents the binary one the lower is the binary zero

so it's digital right so immediately when you see binary one and zero you know we're talking digital

okay good example here is ethernet is going to be baseband communication broadband can support

multiple simultaneous signals it uses frequency modulation to support numerous channels

and each supporting a distinct communication session it's suitable for high throughput rates especially when

you you multiplex this is a form of analog signal so base band is digital broadband is analog a

good example of uh broadband is a cable modem or isdn or dsl so so your internet connectivity providers that you'd see

from from home let's talk broadcast multicast and unicast which determine how many

destinations a single transmission can reach so broadcast supports communication to

all possible recipients and you'll see this in tcp communication a broadcast will go out to all possible recipients

you have multicast which can support communications to multiple specific recipients when i think of

multicast i think of honestly i think of of windows operating system deployments where you'll see multicast

to uh to deploy to uh to multiple computer endpoints at once so so multicast in the network world means

supporting communication to multiple but not all and then unicast would mean a single

communication to a specific recipient so unicast is one multicast as many

broadcast is all all right now we're going to talk carrier sense multiple access csma so so

these are technologies this is technology built into to networking to uh to determine how

network tech deals with collisions so it's really developed to decrease the chance of collisions when two or more

stations start sending their signals over over layer two over the data link layer uh basically it requires that each

station check the state of the medium so that's just carrier sense mult multiple access

it's going to require each station first check the state of the medium before sending and that'll reduce collisions

you have a couple of flavors of csma i'm going to call it csma just to to shorten this up but we're working at the data

link layer so lock that in so csma variations and collisions so so csma reduces the chance

csmaca is collision avoidance this attempts to avoid collisions by granting

uh only a single permission to communicate at any given time so when we talked about

ring networks and a token for example that's csma ca that's collision avoidance and then there is

csma cd which is collision detection so this responds to collisions by having each member of the collision domain wait

for a short but random period of time before starting over so ethernet has to detect and deal with

collisions where where token ring avoids collisions so remember these three as they could you

know definitely come up on the exam these are called out in uh the official study guide

so just to lay these out i want to lay out csma cd and ca so collision detection and collision avoidance

so detection is effective after a collision where uh ca collision avoidance is effective before a

collision so make make sure you're familiar with

these uh you know i use ethernet as an example of of collision detection and token ring as an

example of collision avoidance but uh you want to you'll definitely want to be sure of these and you'll notice there

that csma on line five that cd is used in the 802.3 standard where ca is used in the 802

11 standard all right let's talk token passing and polling so token passing

performs communications using a digital token and once the transmission is complete it re releases

the token to the next system that wants to communicate and polling

performs communications using a master slave configuration by the current description and the primary system pulls

each secondary in turn whether they have a need to transmit data so so token passing is

going to prevent collisions and ring networks polling is used by sdlc okay let me be crystal clear here so s d

l c does not mean software development life cycle this means synchronous data link control this is

actually a protocol it's a layer two protocol used by ibm systems network architecture so so sdlc is synchronous

data link control that's where polling happens so so don't confuse this with software development lifecycle

uh all right so moving on so let's talk the what why and how of network segmentation so a common network

segmentation strategy is an intranet where we have a private network designed to host information that might be

available via the internet but we're whittling this down to a specific audience

we have an extranet which is really kind of a hybrid of internet and extranet in that it's a network that's sectioned off

to act as an intranet for a private network but it also serves information to the public internet so we

really see commonly see this in b2b scenarios where maybe we have some business partners who need to access

this information externally so an extranet i typically see stood up as a way to collaborate with specific

business partners rather than just the internet as a whole per se and then we have uh what's

commonly referred to as a demilitarized zone it's an extranet for public consumption

sometimes called a dmz or a perimeter network we're going to use network segmentation

certainly to control traffic and isolate static or sensitive environments so this this can give us a few benefits it can

boost performance simply by removing access for for unnecessary

systems we can eliminate communication problems because we're providing a dedicated

environment a clear path a clear set of rules of the road for access

uh and authentication and then providing you know a layer of security certainly isolating traffic and user access is

going to raise the bar in terms of our our security profile so let's talk bluetooth so bluetooth is

defined in the ieee 80215 standard sometimes called a personal area network

often associated with wireless devices it's how we connect headsets to our cell phones mice and keyboards to our

computers and at a host of other devices all the way down to things like a raspberry pi

connections are set up using pairing where the primary device is going to scan

the the 2.4 gigahertz radio frequency for available devices often you'll see a four-digit pairing code provided which

which avoids accidental pairings it's not really considered security but it certainly prevents accidents

you may be tasked on your knowledge of mobile system attacks so the attacks that would come against your

mobile devices so so blue jacking for example is one version of that which is uh basically where more of an annoyance

than anything it's where a prankster pushes unsolicited messages to engage or annoy nearby users now blue snarfing on

the other hand is focused on data theft this is where thieves wirelessly

connect to some early bluetooth enabled mobile devices without the owner's knowledge

and then there's blue bugging which is an attack that grants hackers remote control

over the feature and functions of a bluetooth device so to differentiate these focus on for

blue jacking unsolicited messages for blue snarfing since it's data theft it's wirelessly connecting and then for blue

bugging it's it's remote control over the feature and function of a device so that's how you can

differentiate the three just to lock those in your memory so here's the table of wireless

technologies so these are your wireless standards and their connection speeds

so the 802.11 standard also defines wep so web stands for wired equivalent

privacy it was an early form of wireless network security don't really see it around much anymore

so ssid broadcast so wireless networks are traditionally going to announce their their ssid on a regular basis with

a beacon frame when the ssid is broadcast any device

with automatic detect and connect can can try to connect to that network hiding the ssid is is considered

security through obscurity so folks will certainly do it it's going to be detectable through client traffic i

could actually sniff traffic on the network and find the ssid in connected devices

or in the traffic of those connected devices ssid is the common reference if it's

spelled out just just so you have it available to you ssid stands for service set identifier

tkip so this is temporal key integrity protocol so this was designed as a replacement

for for wep without the need to replace the legacy

hardware it was implemented in 802.11 wireless networking under the name wpa which is wi-fi protected access so

that's kind of the second generation of wireless security and then there is ccm

p which is counter mode with cipher block chaining message authentication code

protocol say that three times fast uh so this was created to replace wep

and wpa so this was replacing the original you know gen 1 the wired equivalent

privacy and the wi-fi protected access it uses advanced encryption standard it's 128-bit key this is an active

supported encryption algorithm this is this is modern wireless security

so it was used with wpa2 which replaced both both wep and wpa so think wpa2 as your current sort of

standard around wireless security so wpa2 this is your new encryption scheme that's the counter mode with

cipher block chaining message authentication code protocol and it's based on the aes encryption

scheme so this is your current day modern wireless so let's talk uh fiber channel

and fiber channel over ethernet the fiber channel is is actually a form of network

data storage so this is this is accessing storage over your physical network

capable of very high speed file transfer so this uses fiber channel cabling to connect

the uh the storage typically to a fiber channel switch and then fiber channel over ethernet is

used to encapsulate fiber channel over ethernet network so a lot of times your fiber fiber channel is going to have a

dedicated network but you can actually run fiber channel over ethernet so just just understand these are

storage using a network medium and fiber channel over ethernet is going

to encapsulate fiber channel over your your ethernet networks iscsi

so iscsi is a network storage standard based on ip so this is typically running over your

your ethernet and that and that's really the difference between iscsi and and fiber

channel other than the physical medium right the fiber channel is is going to be very very high very high speed i mean

iscsi is going to be high speed by the fact that it's running over a network but iscsi is typically using

your uh your ethernet storage more commonly using your ethernet storage uh site survey so this is the process

of investigating your wireless reception if i'm going to put it in plain english so this is looking for the presence the

strength and the reach of your wireless access points in an environment you know the goal of a

survey is to basically uh identify if your service is adequate and and how it can be

strengthened it usually involves walking around with some sort of portable wireless device taking note

of signal strength in different locations on the site and basically mapping signal strength

typically marking the information on a plot or a schematic a floor plan of of the building

so now let's talk eat peep and leap so the first is extensible authentication protocol this is actually an

authentication framework more than a specific protocol and what it allows for is new authentication technologies to be

introduced that are compatible with existing wireless or point-to-point connection technology so this is

bringing new authentication capabilities to existing hardware now peep

the second in our list here is a protected version of of peep so it's protection protected extensible

authentication protocol peep it in encapsulates that extensible authentication protocol

within a tls tunnel typically so it provides authentication and and encryption essentially

and then leap the third is a cisco proprietary alternative that was actually developed

to replace wpa so wi-fi protected access and and that

that was created before the wpa2 standard was was ratified so

leap of cisco proprietary peep encapsulates eep

and extensible authentication protocol is your base authentication

framework that brought compatibility for existing device

the existing hardware with new authentication capabilities so let's talk mac filtering for a second so mac

filtering essentially uses a list of authorized wireless client interfaces by allowing us to list their mac

addresses their layer 2 addresses in a list usually within the devices and it's used

by a wireless access point to block non-authorized devices if they're not on the list they can't join the network

even if they have the ssid even if we're advertising the ssid and the device tries to auto connect

now captive portal in the wireless sense basically redirects wireless web clients to a

portal access control page so captive portals in this context is specifically talking about wireless you see this

frequently at hotels where you have a hoteling uh mechanism in place which is another story altogether but you'll see

that captive portal where the the wireless client is then redirected

to to a portal to log in with an account or you know agree to terms etc so let's talk about antenna types these

may come up on the exam and you have a few different types and i think the main thing is to understand

which are uh omnidirectional and which are are

more specifically directional so a loop antenna for example uh is omnidirectional if you lay it

horizontally because it's going to pick up signals from all directions now if it's vertical like you see in the

picture there then it's going to work in a specific space so so it could be laid either way

to to provide the the signal that you need but it's

omnidirectional you know from the edge of that wire but if you lay it if you lay it horizontally it's going to give

you um omni-directional support across

uh a surface monopole so this is an omnidirectional antenna that can send and receive signals in all directions

perpendicular to the line of the antenna itself then we have dipole which is essentially

uh you know two monopoles it's omnidirectional but it's it's two monopoles together so it can generate

powerful signal in a restricted space essentially a panel

antenna so this is a flat device that's going to focus from only one side of the panel so the the panel that faces away

from the pole here so you'll you'll typically see these mounted uh you know up against a wall a

lot of times because it's going to provide support in one direction but

the key with panel is to understand it focuses from one side a parabolic antenna is going to be very directional

it's used to focus signals from very long distances or weak sources you have to point a parabolic antenna

at the the the source you're trying to amplify essentially so or the destination you're trying to provide

service to so uh parabolic antennas are very directional and you know the dish

can can catch and receive signals but it's going to be very directional much like satellite

television you know a a satellite dish where television has to be focused has to be pointed in the direction of the

satellites for which it's receiving broadcast uh and then we have a yagi

uh which is which is basically these little um bars that are crafted from a straight

bar with with these cross sections to catch specific radio frequencies in the direct in the direction

of the main bar so that the crossbars are catching radio frequencies from the direction of

the main bar i don't expect you're going to see a lot of coverage here but i wanted to at least cover some of the

basics because they are called out in the official exam

study guide that they could show up and then finally there's the cantana which is

highly directional so this is this is going to focus signal along the direction of the open end of the tube

and if that looks like the popular potato chip can that you'll see in the u.s

that's because it's very much that shape in fact you'll find recipes out on the internet for making a cantana

from a pringles can is the the type of potato chip i'm talking about okay other network devices we have

firewalls uh which are essential in managing and controlling

network traffic at the perimeter right we use we use a firewall often times to filter inbound and outbound traffic at

our parameter blocking unauthorized or malicious traffic at the perimeter we have a switch

which repeats traffic only out of the port on which the destination is known to exist so

so unlike a hub which is going to transmit on all ports the switch is going to be port specific

based on layer 2 technology typically it's looking for that mac address sometimes

you'll find what's called a layer three switch which is kind of a hybrid device that performs that layer two

functionality of a switch but has some routing capability because routing is happening

at layer three but think of switches as being layer two unless it's called out as a layer three switch

routers are used to control uh flow on networks and are actually used to connect similar networks and

control traffic between the two it's how we separate collision domain we can separate collision domains and segment

traffic so we can separate subnets and then route between those subnets using a router so

a router is is happening it's operating on layer 3. with with ip then we have gateways which

connect networks that are using sometimes different network protocols these are sometimes called protocol

translators they can be standalone hardware or we can even see them as a software service so so an

example of that would be in in windows for a long time uh when when novell networking was still common

you could set up a gateway a protocol gateway on a server in software that would

basically connect a no a novell network to a tcp ip network um

so these gateways are typically working at layer 3 because they're they're handling

a routing capability of sorts connecting different protocols so they can communicate

repeaters concentrators amplifiers these are you know used to strengthen signals over a cable

segment or connect but they're connecting networks that use the same protocol these are typically

operating at layer one this is this is a physical the physical layer in the osi model and

and if you didn't pick up on that all the layers i'm calling out here layer one layer three

uh you know these are these are layer two these correspond to the osi model which is seven layers so make sure you

know osi right uh bridges these are used to connect two networks

uh they operate at layer two these are connecting network segments that use the same

same protocols top you know cabling types etc then you have hubs which were used to connect multiple computer

systems on honestly you'll see hubs used in in a home but seldom in a business anymore it's a

multi-port repeater so the signal gets broadcast everywhere unlike the switch remember the switch is going to send the

traffic only to the destination to the port on the switch where the the recipient is known

to exist your hubs are going to operate at layer one then we have lan extenders

which are a remote access multi-layer switch used to connect distant networks over

wan link so you're essentially connecting two lands creating a wan so wan connections and communication

links can include two there are two major types there's private circuit and there's packet switching so you may be

tasked to know the difference between the two and to know some examples of each on the exam

so private circuit use dedicated physical circuits

that's going to be good for security it's going to be more expensive though so private circuits would include

dedicated or lease line point-to-point uh slip isdn or dsl those last two you'll recognize uh from the world of of

internet connectivity and in you know home and business of all sorts but dedicated physical circuits is the

key with private circuit make sure you try to lock some of these examples in your mind and then the other option

is is packet switching which uses virtual circuits which are going to be efficient and they're going to be cost

effective because we're not using dedicated physical circuits which means our infrastructure costs are going to be

less a few examples of packet switching technologies would include x25 frame relay atm

sdlc which we mentioned a bit earlier synchronous data link control or hdlc

moving on to firewalls so we'll start with some broad types of firewalls so we have static packet filtering firewalls

that filter traffic by examining data from the message header rather than the payload these operate at layer 3 and up

on the osi model then we have the application level firewall that filters based on a service

a protocol or an application as you might guess this operates at layer 7 the application layer

of the osi model then we have circuit level firewalls that operate at the session layer layer

five and these are used to establish communication sessions between trusted partners often socks is an example of a

circuit level firewall so i wanted to call it out here sometimes we see that

stateful option simply called a stateful inspection firewall but just to juxtapose to the deep packet inspection

firewall which filters by looking at the payload contents so that's the difference

between a stateful firewall and deep packet inspection because we're moving from

the header into the payload so then there are stateless firewalls

these watch network traffic and they restrict or block based on

static values source and destination addresses and ports they're not aware of traffic patterns or

data flows or session information these are typically faster and perform better under heavier load frankly

because they're doing a bit less work they're examining less when they're not paying attention

to those session details or paying attention to packet contents or application values

there's a lot less to do and then there are stateful firewalls and these can watch traffic

streams from end to end they are aware of communication paths and they can implement

various ip security functions like tunnels and encryption they're better at identifying

unauthorized and forged communications and now let's get a bit more specific so i call these modern firewalls there's

the web application firewall often abbreviated the waff so this protects web applications by

filtering and monitoring http traffic or https traffic if we think about it between a web application and the

internet it typically protects against common attacks like cross-site scripting

cross-site request forgery and sql injection these are the o-wasp top 10 type attacks and some of these waf

options come pre-configured with owasp rule sets which makes them very easy to configure

then we have what we call next generation firewall sometimes abbreviated ngfw

this is a deep packet inspection firewall which tells us it's looking at packet contents it's looking at the

payload so it moves beyond port protocol inspection for blocking it adds application level inspection

intrusion prevention and brings intelligence typically from outside the firewall you'll see these next-gen

firewalls often leveraging threat intelligence feeds which feed it information in near real time often

about the potential threat actors out there on the internet or about

emerging threats so deep packet inspection just to touch on this again this is a firewall that

inspects and filters both based on header and payload that's the key i just want you to lock in your mind it can

detect protocol non-compliance spam viruses intrusions and then there's

the utm or unified threat management firewall this is a multi-function device it's composed of several security

features in addition to a firewall those features will vary by vendor and implementation they might include

intrusion detention or prevention a tls or ssl proxy web filtering quality of service bandwidth throttling nat

vpn antivirus because you have so many functions in there

that's not going to scale as well right because you're doing a lot of work so we for that reason we see this utm option

more commonly in small and medium businesses where they need that all-in-one device

then there's the nat or network address translation gateway so this allows private subnets to communicate with

other cloud services and the internet but it hides the internal network from internet users

the nat gateway has the network address control list for private subnets you'll typically see this used

for users browsing the internet we'll hide our users behind that nat gateway so

external entities don't have a path directly back to that end user by ip address

or anything else next we have the content or url filter which is going to look at the content on

the requested web page and block the request depending on filters so it's used to block inappropriate

content in the context of the situation so what is inappropriate in a school setting for example with students might

be somewhat different from what is inappropriate in a work environment with adults

but the content filter is associated with deep packet inspection and just to mention briefly you have

open source firewalls out there where the license is freely available and it allows access to the source code though

it might ask for an optional donation there's no vendor support with open source firewall so you might have to pay

a third party to support that in a production environment i don't know that you're going to see

this i wanted to call this out because just to make sure you're situationally aware

of the uh the consequences of open source and then proprietary firewalls are more

expensive but they tend to provide more and or better protection and more functionality and also support

at a cost and many vendors operate in this space including cisco checkpoint palo alto

barracuda but they don't offer you source code access it's proprietary right that's

their secret sauce that they're selling you it's a commercial firewall option

and then another angle to think about your firewalls from is hardware versus software so a hardware firewall is a

piece of purpose-built network hardware it may offer more configurable support for lan and lan connections it often has

superior throughput versus software because it is hardware designed for the speeds and connections common in an

enterprise network then we have the software-based firewall that you might install on your own

hardware like a server so this has the advantage of giving you the flexibility to place firewalls

anywhere you'd like in your organization you know that can be a server it can be a workstation anywhere you have a host

you can put a host-based firewall they're more vulnerable in some aspects due to attack vectors for example if i

have a software firewall on windows if i can compromise a host i can flip a switch in

the windows registry i can disable a service and potentially turn that firewall off which is something that

will be much more difficult to do on a purpose-built piece of hardware

and then let's talk about the difference between application host-based and virtual firewalls so

application based firewalls typically cater specifically to application level communications this is often http or web

traffic an example is that next generation firewall i mentioned

we have the host based firewall which is an application installed on the host os so that's a software firewall

and you'll see these for windows and linux both client and server operating systems typically

then there's the virtual service so in the cloud firewalls are often implemented as

virtual network appliances or a virtual service that's transparent in terms of the underlying infrastructure and these

are available both from the cloud service provider directly and often third-party partners so by csp

i mean microsoft amazon google and then third-party

partners like your ciscos and palo altos will often have their own flavor that they offer

for those cloud platforms now let's switch gears and talk about intrusion detection and prevention ids

and ips so intrusion detection systems analyze whole packets both header and payload looking for known events and

when a known event is detected a log message is going to be generated intrusion prevention or ips on the other

hand analyzes whole packets both header and payload looking for known events but when a known event is detected the

packet is rejected so ids reports and or optionally alerts maybe an email alert or an alert on a

dashboard ips takes action that's the key differentiator you want to remember for ids and ips so let's talk types of

ids systems you have behavior based which creates a baseline of activity to identify normal behavior and then

measure system performance against that baseline to detect abnormal behavior then we have knowledge based so

knowledge based ids uses signatures similar to the signature definitions you'd see in an anti-malware antivirus

system so the difference here is behavior based can detect previously unknown attack

methods where knowledge based are only effective against known attack methods so knowledge base are going to

be much less effective today they're at a significant disadvantage and both your host-based and

network-based intrusion detection systems can be knowledge-based behavior-based or a combination of both

of these so let's talk about the difference between host based and based so so what

you're seeing here is intrusion detection and intrusion prevention the same definitions we saw earlier

so what makes host-based ids and ips is that is it is installed in some form of software often

on a server and network based as you can probably guess is at the

network level often in hardware form it's a purpose-built appliance quite typically

i want to unpack a couple of aspects of network-based ids and ips so the modes of operation so there's in-line mode or

also known as in-band this is where we place that device on or near the firewall as an additional layer

of security so that function might be a switch we can flip on a hardware firewall or it might be

that we place that device you know in line near that firewall then there's passive mode or what we

call out-of-band and this is where the traffic does not go through the the network-based

intrusion appliance it basically uses sensors and collectors to forward alerts over

to that system and there are advantages to both systems but with those sensors and collectors

uh you'll typically see that those can be placed on a network and and they're detecting changes in

traffic patterns but one of the interesting scenarios there is you can place a sensor on the internet side of

the network it can scan all the traffic from the internet i'd be worried about running all of my internet traffic

through an inline configuration because that's going to need to be some pretty beefy hardware if it's doing heavy

scanning i want to try to limit what i'm doing and these sensors allow us to to place sensors wherever makes sense in

our network segments to look for

changes in normal traffic patterns so secure network design may come up on the exam and i want to dial you into a

few details that may help you better select the right answer on the cissp exam so we'll start with a bastion host

which is a computer appliance that's exposed on the internet it's been hardened

by removing unnecessary elements you know no no services programs protocols reports are are

running that don't need to be running right it's running the bare necessities we have a screened host which is a

firewall protected system logically positioned just inside a private network this is going to be the

most secure option so if you see bastion host versus screened host the screened host is going to be

the most secure option now a screen subnet is really similar to

a screen host in concept except the an entire subnet is placed between two routers or firewall and the bastion host

would be located within that subnet so it's kind of a hybrid thereof you should also be familiar with for the

exam a proxy server which functions on behalf of a client requesting a service and

it's going to mask the true origin of the request of the service typically so that proxy server proxies the request

and appears as the endpoint making the request a proxy server is commonly used for

internet browsing in an enterprise environment so if you're on a corporate computer browsing the internet

there is likely a proxy server there that's masking your request and a lot of times caching content to improve

performance so let's talk about a honeypot this is a term many you're familiar with i'm not sure everyone

understands the nuance of of the the purpose of a honeypot so certainly a honeypot is intended to lure bad people

into doing bad things so we can watch them but it's really intended only to entice

not to entrap uh you're not allowed to let them you know let the the attacker download items

with enticement we're just diverting their attention so for example allowing download of a fake payroll file that

would be entrapment why that's important is if you're entrapping someone when you bring law

enforcement into the situation you're going to be unlikely to get positive results because in trap you've

entrapped them you you've encouraged them to do this bad thing and enabled it by putting a

file out there they could download so so know the difference between enticing and entrapping and essentially it means

we're diverting their attention but we're not letting them download items that would lead them to that crime right

remember this difference though for the exam um the goal with a honey pot is to

distract from real assets and isolate in a padded cell essentially until you can track them down and figure out who that

malicious actor is and block their ip address on their firewall or whatever you know responsive action you're going

to take but but remember it it's distract not not in trap

there's a variation of the honey pot called a honey net which is an entire network set up for the same purpose

so common network attacks this may come up on the exam you're going to need to be familiar with with common network

attacks we'll start with teardrop which is a to denial of service attack that

involves sending fragmented packet to a targeted machine so fragmented packets is going to be

the key a fraggle attack is another denial of service that

involves sending a large amount of spoofed udp traffic to a router's broadcast address within a network it's

actually similar to another attack called a smurf attack which uses spoofed icmp traffic so so the teardrop is

fragmented packets fraggle attack is spoofed udp traffic

and the smurf attack is spoofed icmp traffic then finally we have the land attack which is a layer for denial of

service in which the the attacker sets the source and destination information in the tcp segment to be the same value

so vulnerable machine in this case is going to crash or freeze you know processing a packet repeatedly

because it has the same source and destination so what you'll notice about all these are all denial of service

attacks right continuing down this road we have a sin flood

in which an attacker sends a succession of sin requests that's that's the first step in the tcp handshake uh but it'll

send a send request to a target system in attempt to consume enough uh resources to make the system

unresponsive to legitimate traffic it keeps getting new uh connection requests and then the

handshake never completes and it eventually overwhelms the system then we have the ping of death which involves

sending an oversized ping packet so basically it goes over the

65 536 byte limit so notice those are all uh

denial of service text all five do know the tcp three-way handshake the process used in tcp ic

tcp to make a connection between a server and a client so basically it's three

steps it's the uh the syn synack ack but the common element you see with the

network attacks is there's a lot of playing around a lot of manipulation with packets and network protocols

and that's it for domain four next up is domain five identity and

access management let's take a look at the official exam outline and at the end we'll touch on

what's really new in domain 5 and the 2021 release of the exam the 5.1 is control physical and logical

access to assets 5.2 manage identification and authentication

of people devices and services 5.3 federate identity with a third party service so this is talking about the

federated identity model been around a long time implement and manage authorization

mechanisms so we're talking about authentication and authorization or off in and off z as you'll sometimes hear

them referred to not surprising giving the title of this domain 5.5 manage the identity and access

provisioning life cycle and finally implement authentication systems so in the 2021 release we see that 5.1

through 5.5 are almost word for word exactly as they were in the 2018 release a couple of minor language changes of no

real consequence the 5.6 was the net new objective at the top level but when we

unpack what's beneath 5.6 we see a lot of content that was here in the 2018 release open id connect and open

authorization security assertion markup language or saml

kerberos radius tacacs terminal access controller access

control system plus this was all here in the 2018 release but when we see a new sub domain and we

see existing topics under there the hint that gives us is there might be greater focus brought to these topics so we do

want to be aware of that make sure we're familiar with everything we see beneath i'm going to add certificate

authentication here as well it's not explicitly called out but based on what i see across the

domains it's going to be important that you understand certificate authentication

i'm going to touch on it here as though it's an explicit new topic i'll start by taking a look at some of these topics

that are either net new or potentially elevated in their focus in domain five so we have certificate based

authentication so digital certificates can be used as an authentication technique for users services or device

identities and certificates used in this process are very similar to those that you'd use

to secure websites their x.509 certificates they have both a public and private key and the

certificates are usually issued by a certification authority in a public key infrastructure now whether you're

issuing these certificates from your own pki or you're purchasing these from a third party

often comes down to whether or not these are going to be publicly facing because if you have a

website for example facing the internet you'll usually use a certificate from a trusted provider like a digicert

now for the exam make sure that when you watch domain three you take a look at the key exchange process described in

the asymmetric cryptography section understanding the basics of asymmetric symmetric and how they're used is going

to be fairly important we have what we call the aaa protocols they provide centralized authentication

authorization and accounting services we have a network access server which is a client to a radius server and the

radius server provides those authentication authorization and accounting services

so we have radius which uses udp and encrypts the password only this is very common in remote access systems we have

tacacs which uses tcp and encrypts the entire session very common in admin access to network devices we see this in

the cisco world and then diameter which is based on radius and improves

many of the weaknesses of radius but diameter is not compatible with radius we actually see diameter in the 4g world

but radius uses udp and encrypts password only tacx tcp and encrypts the entire

session and you have the use cases there in case something pops up but network access or

remote access systems use aaa protocol very commonly kerberos on the exam i felt a bit of

elevated focus so the primary purpose of kerberos is authentication as it allows users to prove their identity it's the

authentication protocol we see primarily in active directory in the microsoft world very common in the enterprise

on-prem in hybrid identity models it also provides a measure of confidentiality and integrity using

symmetric key encryption but these are not its primary purpose it doesn't include logging capability so it

doesn't provide accountability we'll talk about attacks and counter measures in other domains and and a bit

at the end of this domain but common kerberos attacks include replay pass the ticket golden ticket and

kerber roasting in terms of attacks if you hear or see pass the hash

on the exam that's referring to the ntlm protocol which is your legacy authentication protocol in the microsoft

world and then pass the ticket would refer to kerberos

so also important will be a couple of policies so there's need to know the principle ensures that subjects are

granted access to only what they need to know for their work tasks and job functions so subjects with clearance to

access is only granted if they actually need it to perform a

job the principle of least privilege ensures that subjects are granted only the

privileges they need to perform their work tasks and job functions this is sometimes lumped together with need to

know the only difference is that least privilege will also include rights to take action

on a system but only the rights that are necessary providing the least privilege required in order to

complete the job and then separation of duties and responsibilities ensures that sensitive

functions are split into tasks performed by two or more employees this helps prevent fraud and errors by creating a

system of checks and balances we'll touch on these in other domains and videos in this series but i wanted to

touch on them here as they're relevant in domain five but know these three principles for sure

for the exam then i saw in the content what they call modern approaches to least privilege or

more granular approaches to leach least privilege so we have just in time access which allows temporary elevation of

privilege usually time limited as it's needed revoking privilege at the end of the allowed

window so we see this in privileged identity management or privileged access

management it's sometimes called and it's sometimes implemented through ephemeral accounts or a broker

and remove access strategy so where i've seen this most commonly the user can request elevation it may go through an

approval process and then they are elevated for a limited period of time usually counted in single digit hours

that does it for what's new or elevated let's dive into domain five and we'll start by defining identification so this

is where a subject claims an identity typically by providing their username and then authentication is where the

subject proves their identity typically by providing credentials like a password or in the case of multi-factor

authentication providing a password and then something more depending on the system we're working with

authorization and accountability so authorization comes after authentication where a system will authorize access

based on that proven identity then accountability are the auditing logs and trails that record events

related to that identity that is performing action so it gives us that historical record so

authorization comes after authentication and accountability provides evidence should we need it later on

but identification plus authentication plus auditing equals accountability so we don't have accountability without

identification authentication and that auditing trail

so primary authentication factors we talked about multi-factor authentication in a previous domain it comes up here in

the form of primary authentication factors you should recognize these principles something you know

like a pin or a password something you have like a trusted device and then something you are like a

fingerprint or a retinal scan retina scan so multi-factor authentication

leverages those components which means we're providing two or more authentication factors

this is going to be more secure than a single authentication factor for sure now do remember that passwords are

considered the weakest form of authentication however password policies can help here

by enforcing complexity and history so we don't have weak passwords and we don't reuse passwords

smart cards are a good option which include typically a microprocessor and and a certificate

which would go back to the trusted authority from which it's issued so we could trace that back to a trusted

source and then tokens are sometimes used to create one-time passwords these come up in odds and end scenarios like

one-time guest scenarios or i've seen it in in cases where a user is in a location where they don't have you know

cellular access for example to to provide that second factor and then finally biometric methods which

identify users based on characteristics like a fingerprint or a retina scan now around biometric you're going to need to

know the crossover error rate how to calculate the crossover error rate and the implications of the

different air types so let's talk about biometrics this is authentication using an individual's physical characteristics

which are unique to each individual so there's a fingerprint scanner which are now very common and they're used not

only in multi-factor authentication but various travel financial and legal situations so you'll see these at at

some airports and even at some banks a retina scanner which works with your eye of course and with appropriate

lighting the retina of the eye can be accurately identified as the blood vessels of the retina absorb light more

readily than the surrounding tissue then there's the iris scanner that confirms the identity of the user by

scanning the iris of their eye both retina and iris scanners are physical

devices then there's voice recognition where the voice patterns of a person can be stored in a database and used for

authentication facial recognition which looks at the shape of the face and the

characteristics like mouth jaw cheek bone and nose now light and angle direction can be a factor here

especially in software microsoft's facial recognition solution called windows hello was

released in windows 10 and it uses a special usb infrared camera so it's a little better than some other facial

recognition programs that can have problems with light

you can look at veins so using blood vessels in the palm can be used as a biometric factor of

authentication and then there's gate analysis so that's g-a-i-t gate is the way an individual walks and

identification or authentication using gate is possible sometimes even with lower video resolution

so crossover air rate in the context of biometric so false acceptance occurs when an invalid subject is authenticated

someone who shouldn't have been this is sometimes called a false positive authentication

then a false rejection occurs when a valid subject is rejected this is sometimes called a false negative

authentication so false acceptance is also known as a type two error false rejection is a type one error so

false rejection is undesirable but false acceptance is generally considered worse for the exam remember far as the acronym

for false acceptance rate and fr as the acronym for false rejection rate and then there's the crossover error

rate this is in biometrics identifying users based on their characteristics and then identifying

the accuracy of the method the crossover error rate is where false rejection and false acceptance rates are

equal so to move the crossover error rate lower or higher you

can increase or decrease the sensitivity of the biometric device until you get to that happy medium

so let's talk single sign-on so this is a mechanism that allows our subjects to authenticate once

and then access multiple objects without authenticating again

so some common single sign-on standards out there include saml sesame kryptonite

oauth and open id in fact for the exam the three i think you should focus on are

saml oauth 2.0 and open id so oauth20 is the standard when it comes to oauth but you'll need to know the high-level

scenarios where each of these these more or less factor so going down that road security

assertion markup language or saml is an xml-based open standard

for exchanging authentication between parties in particular between an identity provider and a service provider

the most common place i see saml come up is in active directory federation services what i will say about saml is

this seems to be kind of on the way out i see some folks that have been using this for years i don't see a lot of

organizations adopting this sort of uh federation scenario very often

oauth20 is an open standard where we see authorization used by

authenticating that user using their microsoft google facebook twitter your social accounts without

exposing their password you use these every day i'm sure

and then open id is another open standard that provides decentralized authentication allowing users to log

into multiple unrelated websites one set of credentials using a third-party service that's called an

open id provider so just a couple of things here so so saml comes up a lot in federation

scenarios like i mentioned active directory federation services is where i have seen it most commonly

uh oauth2o was developed by the internet engineering task force and updated through

rfc which is the same process used for maintaining internet protocols like tcp ip for example

so let's talk about access control models so like those authorization mechanisms access control

models are going to be very important for the exam for domain five so

discretionary access control so in this model every object has an owner

and the owner can grant or deny access to other objects at their discretion so the fact that the owner can grant or

deny access at their discretion is what makes it discretionary the ntfs file system that's very commonly used on

windows for many years gives us that sort of model

role based access control something we also see in the windows world quite uh typically

is where we use roles and groups you'll actually see this in many uh cloud platforms like microsoft azure for

example where they're using roles or groups so instead of assigning permissions directly to users user

accounts are placed into a role or or a group to to give them those privileges and

basically that allows the system to scale more effectively typically map to job roles so so the the

roles of the groups that i'm added to are going to depend on my job roles and in many large organizations they'll have

template user accounts where the template account is already a member of the right roles and groups and they will

simply clone that as they bring new users in or make a copy of it and then there's rule-based access

control where you have the key principle here is global rules apply

to all subjects and within this model these rules are

sometimes called restrictions or filters you'll commonly see this in the world of firewalls where you have a firewall that

uses rules that allow or block traffic to all users equally continuing on we have

attribute based access control which really focuses on rules that can include multiple attributes it's going to be

more flexible than the rule-based access control model we were just talking about this is oftentimes used by

software-defined networks and then there is mandatory access

control which relies on the use of labels applied to both subjects and objects

so for example if a user has a label of top secret then they can be granted access to a top secret

document but in that example both the subject and the object would have matching labels this is sometimes called

a lattice-based model and and it's called a lattice-based model based on the way it appears when it's

drawn out as a tree so if you see access control and lattice-based

mandatory access couldn't could well be your your answer i want to shift gears and talk about a

different type of security controls and i put these here because we just talked about access control so logically this

makes some sense in your memorization work and your study so let's talk security controls countermeasures and

safeguards which can be implemented in three broad categories administratively logically or technically it's sometimes

called or physically so those are your three categories then we have several types of

controls including preventative detective corrective deterrent compensative

directive and recovery controls the three primary control types are preventative detective

and corrective so i want to explain these and give you some examples of each and you'll be

expected to know these for the exam so you want to spend some time on this so we have the logical or technical it's

sometimes called these are the hardware or software mechanisms used to manage access

to resources and systems and to provide protection for those resources and systems so here

are a few examples so you see this is the technology encryption smart cards

passwords biometrics access control list remember we were just talking about access control

physical security control so these are focused on providing protection to the facility and real world objects

examples here would include guards fences motion detectors sealed windows

lights i had someone complain that well lights don't provide physical protection they actually do

when we have lights around the perimeter of a facility lights will

illuminate activity and that discourages would-be intruders administrative that third category these

are the policies and procedures defined by an organization's security policy to implement and enforce overall access

control focusing on two areas really personnel and business practices

examples here are exactly what you'd guess the policies and procedures hiring practices

background checks security training vacation history job rotation personnel controls we're dealing with

the policy and people aspects now when we look at the study guide they lay out these controls logically in this way so

we have our assets that we must protect so administrative controls those policies provide the

overriding foundation of our approach to security so they are the closest

layer in this case because they drive all aspects of our approach and then we have the logical

and technical so those are the technology protecting us against attacks and

exploits and then we have the physical so again we have policies we have the logical protecting against

attacks and exploits and then the physical that prevent physical attacks on facilities

and devices let's talk through the types of security controls i mentioned

so we have preventative which is deployed to stop unwanted or unauthorized activity from occurring so

examples here would include fences locks biometrics

man traps which are now more commonly called access control vestibules we have

detective controls which are deployed to discover unwanted or unauthorized activity these are often after the fact

controls rather than real time control so examples here would include security guards guard dogs

audit trails intrusion detection systems then we have corrective controls which

are deployed to restore systems to normal after an unwanted or unauthorized activity has occurred such as a security

incident examples here might include anti-virus alarms business continuity planning

security policies then we have compensating controls which are deployed to provide options to other

existing controls to aid in the enforcement and support of a security policy an example here would be

a disaster recovery plan that includes an alternate office location in the event

fire suppression fails and the building is damaged then we have directive controls which

are deployed to direct confine or control the actions of a subject to force or encourage compliance with

security policies so let's take a couple of simple examples here so security guards when we

have a security guard at the front desk it's going to direct or encourage

someone to comply with our policies if we have notification signs if we have escape route exit signs it's going to

direct someone's activity monitoring and supervision are going to direct or encourage

compliance with our policies recovery controls which are deployed to repair or restore resources functions

and capabilities after a violation of security policies so these are going to be more advanced

or complex capability to respond to access violations versus what we'd see with a corrective control so examples

here would include backups and restores fault tolerant drive systems server clustering and database shadowing so the

complexity factor is higher as you can see there and then finally we have the deterrent control which is deployed to

discourage the violation of security policies a deterrent control picks up where

prevention leaves off so locks fences security badges security guards

security cameras intrusion alarms so you'll notice here that many controls fit into multiple

categories and you'll see the same when you look at the official study guide i wanted to call out the descriptions here

in a summary fashion with some examples too to ensure you can commit what sometimes seem to be subtle differences

to memory for the exam now we're going to switch gears and talk about the elements of risk so risk is

the possibility of the likelihood that a threat can actually exploit a vulnerability and cause damage to assets

and we can assess risk quantitatively which means using formulas or we can do

it qualitatively which is using some some estimates based on our experience so asset valuation identifies the value

of the asset so asset valuation is focused on asset value and threat modeling identifies threats against

these assets vulnerability analysis identifies weaknesses

in an organization's valuable assets we're not worried about assets that don't really have value i don't care

much about the stack of printer paper over on the table i care about that e-commerce system that holds my customer

data right i'm going to run through some common access control attacks with you now but

before i do i want to call your attention to another video in the cissp exam cram series and that

is the dedicated attacks and countermeasures video which covers attacks and countermeasures across all

of the domains of the exam i absolutely recommend you give that a look before you

head in for the exam so you'll want to be familiar with access control attacks for the exam so

dictionary attacks are one example and they would use all dictionary words to attempt to find the correct password in

the hopes the user has used a standard word out of a dictionary and that's where we can use

uh password policies to help a brute force attack is a an attack that attempts to break a password by trying

all possible words and and really password complexity and attacker tools and compute power are going to determine

the efficacy of that kind of attack a spoofed logon screen so that implements a fake logon screen and when

a user attempts to log on the screen will send the username and password to

the hacker so so a spoofed logon screen could be when we have a compromise system and that that screen has been

faked or sometimes you'll see in phishing attacks where you get a fake you know gmail log on screen for example

and you're encouraged to change your gmail password so spoofed logon screens are

another threat uh sniffer attacks so in a sniffer attack uh the attacker uses a

packet capturing tool that's the key element here so they can capture analyze and read data that's sent over a network

looking for information they can use to you to work against us an attacker can easily read data that's sent over a

network and clear tech so encrypting data and transit going to stop this kind of attack

spoofing attacks this is this is where the the attackers print pretending to be something or someone else this is used

in many kinds of attacks including access control the attacker is often trying to obtain credentials like in the

the spoofed google logon screen that you know typically comes through a phishing attack many

spoofing attacks uh you know like email spoofing phone number spoofing ip spoofing a lot of phishing attacks are

going to focus on using spoofing methods

another type of access control attack is social engineering this is just any attempt by an attacker to convince

someone to provide information they wouldn't normally like a password or to perform an action they wouldn't

normally like clicking on a malicious link or it could even be uh telling somebody uh information about

vacation schedules or you know when somebody comes into the office normally because oftentimes social engineers are

trying to gain access to the i t infrastructure or the physical facility and so understanding

how people move around

the the organization can be really useful to them so the best defense for social engineering is security awareness

training you know just training users to not give away information to parties they

don't know and to not click on links that they aren't sure are legitimate phishing attacks so phishing attacks are

commonly used to trick users into giving up personal information via some sort of email a malicious link

or a malicious attachment lots of tools out there today to prevent phishing attacks and even tools to simulate

phishing attacks so you can educate your users in the real world from day to day so there

are some fishing variants we want to be familiar with so spear phishing targets specific groups of users you know there

there are basic phishing attacks that aren't very clever where you know every user in your organization gets you know

blanketed with a hey your your gmail password has been compromised you need to click here and change your password

quickly we actually had a government entity a campaign a political campaign that was uh was

hacked through that sort of general fishing attempt but a spearfishing attempt is going to be a little more

nuanced in that the attacker has done some some advanced investigation of your

organization and they're targeting specific groups with a more specific type type of attack that seems relevant

to their job a variant of this is whaling which is a targeted attack on your high level

executives or other high value targets whale whaling is going after that that high value targets and then vishing uses

voice to carry out the exploits so phishing is really the number one cyber attack in

the world today this is a really common uh way in the door to then uh compromise your organization in other

ways so you want to know these three variants for the exam for sure i expect you'll see something on fishing come up

then finally there's an access aggregation attack that's that's where the attacker combines or

aggregates non-sensitive information to learn sensitive information this is used often in reconnaissance attacks

let me give you an example of an internal access aggregate

aggregation of non-sensitive data so let's say we have a a shipping clerk that has access to

to order records but the organization restricts access to total sales volume but uh the shipping clerk

has access to the order record so they can pull all those individual records together and add them up to total to get

that that sensitive total sales volume that that's one example but it's combining non-sensitive information to

get to the sensitive information so know these common access control attacks and how to prevent them

so to prevent these types of attacks i've given you some of that information in line

and as we talked about them but but a couple of reminders here so password should be long complex and change so

that's where we used password policies to enforce complexity and history so we have to have a strong

password policy and then enforcing other measures like account lockout after you know x number of logon attempts and

for the spoofed logon screens the best prevention is to have secure endpoints where these fake screens can't be

implemented and in the case of of the external uh scenario where you're being sent to

like a spoofed you know gmail screen for example that's where we're using phishing protections to deal

with uh with that sort of exploit so other attacks there are a couple of

not specifically access control attacks i wanted to talk to you about but just to get these out here

because they're sort of fringe so tempest allows

electronic emanations that monitors produce to be read from in a distance this is going to be effective on crt

monitor so this is something of a legacy attack you know with modern with uh monitor displays you know

modern monitor displays shoulder surfing is going to be the way you deal with that

white noise which is broadcasting false traffic at all times to mask and hide the presence of real emanation so

that's sending kind of a distracting signal down the line essentially so i'm not sure you'll see these i want

to bring them up because they are definitely called out in the guide rf rfid

barcoding and inventory these represent the ability to prevent theft which reduces risk so you'll see rfid

barcoding and inventory in in the world of asset management and these are intended to prevent theft and reduce

risk so these are not going to be you know technical areas but think think of risk reduction

around asset theft when you see rfid barcoding and inventory and that's what i have for you in domain

five next on the agenda is domain 6 security assessment and testing

and the discussion of what's new in domain 6 is a fairly short discussion because there are no significant changes

in fact when we look at the top line syllabus for this exam it hasn't changed from the 2018 release of the cissp

syllabus domain 6 is a short domain but a pretty high bar in terms of what you're expected to know

so let's get into it by starting with a look at the exam outline from the official ise squared exam

outline so it starts with design and validate assessment test and audit strategy so the key word there being

design and validate strategy so you're expected to know how to develop a good assessment test and audit strategy

six two conduct security control testing so now we're actually talking about doing the work

collecting security process data in 63 and then analyzing the output and generating a report so even though this

is a short domain by the numbers there's a pretty high bar in that you're expected to have some

knowledge end to end in the assessment and testing process and remember there's always one

fundamental truth you want to remember about the cissp exam and that is that sometimes

situations require an expert and so does the cissp assume that you're an expert penetration tester no it does not

so remember we're thinking like a manager here that may come up

and and sometimes call an expert is a valid answer so just park that in the back of your head so let's talk security

assessment and testing so assessment and testing programs in the security world provide a mechanism for validating the

ongoing effectiveness of security controls and ongoing effectiveness is a good point there because your testing

programs are going to have to come back periodically and validate that your controls are still effective it's not a

one-time situation you know i function in a fractional chief information security officer for

organizations and we have some tests that are conducted quarterly you know so so it's an ongoing process

vulnerability assessments penetration tests software testing audits

security management tasks so we're going to touch on all of these in this domain and the most important thing is that

every organization should have a security assessment and testing program defined and operational so if you get to

one of those choose the best answer questions that's the bottom line when it comes to

security and assessment testing is you need a program defined and operational so let's talk about vulnerability

assessments versus penetration tests vulnerability assessments use automated tools to search for known

vulnerabilities and and these tend to be less expensive than penetration tests generally

speaking the the flaws might include missing patches missing configurations faulty code uh

that expose the organization security to security risks and you'll find they'll they'll call out the automated tools

will call out the cve that's applicable to the uh the vulnerability

uh penetration tests use these same tools but they supplement this with attack techniques where an assessor

attempts to exploit vulnerabilities and gain access to a system so so vulnerability assessments will identify

some weak spots and then the penetration test goes a step further to to target what we call

targets of opportunity in some cases and so generally speaking when you get a quote for a penetration test you're

going to quote these two things together from from the company you're working with and and large organizations might

have their own penetration testers but they're still going to hire external companies external auditors to do you

know this sort of testing so some of the strategies that might be employed

war dialing which which is a bank of modem sniffing so monitoring the network uh eavesdropping dumpster diving which

is just like it sound i've never seen uh uh

a penetration test that involved dumpster diving you know the more the more people time that's involved the

more expensive it's going to be right if and these last two in particular if somebody's going to go dumpster diving

or or go through some social engineering exercises these are going to drive your price up because it requires a person

really doing some some homework and spending some time um

the whole idea of of this you know is the is that you know human interaction is involved and just

know that that's going to increase the cost that bank of modem strategy i expect is

legacy it's called out in the official uh guide to just park that in the back of your mind that it might come up as

a valid strategy and certainly it is it just feels a little less relevant in 2021 doesn't it

some key areas of security process so employment policies and practices so we know on the front end we have background

checks as we're onboarding employees on the back end at separation we have a termination process which would include

making sure that we de-provision any access this employee has to the organization's data this is going to be

an important part of the identity management lifecycle which we talked about back in domain five

so roles and responsibilities remember that management sets the standard and verbalizes the policy

and around security awareness training so security awareness training is really important in in preventing social

engineering it certainly helps with phishing attacks i see in the real world that uh quarterly security awareness

training takes our fishing numbers way way down because people become hyper aware

of the most common attacks but if we look at this in order we we write the policies

we communicate the policies and then we train on the policies right so it's it's a a process within a a

process sort of encompassing these these processes so software testing so software testing comes in many forms but

it's used to validate our code uh that's moving into production and really before

production so software testing at its basis just verifies that code functions as designed

and does not contain security flaws code review

typically uses a peer review process to formally or informally validate code so it's

quite normal that you'll have senior developers looking over the code from junior developers or or

folks cross discipline validating code there's really no hierarchy here but but you always need that second set of eyes

just to ensure that we're following good practices and

uh as a team uh going down the same this the same approach and and certainly there are

automated tools out there you can use to scan your source code that will flag bad practices but but a peer review process

is is part of the uh the software testing world as well so interface testing focuses on

interactions between components and users with api testing and physical interface testing so

this is really about how you know maybe an interface interacts with a database for example or an

interface interacts with an api and you can automate some of this testing a

lot of times this will be some of that user experience testing where a skilled software tester

goes through a plan validates the experience flags any any variants from the expected result

static versus dynamic software testing you'll want to know the difference between these two

for the exam so static software testing includes things like code reviews that we just talked

about evaluating the security of the software the key here is evaluating the security of the software without running

it by analyzing source code or the compiled application

and then there's dynamic software testing where we evaluate the security of the

software in a runtime environment this is often the only option for organizations

that are deploying applications written by someone else but i do want to point out that dynamic software testing

does not mandate that it's written by somewhere else there is a lot of value in running software in a runtime

environment to ensure that it functions as design that it's fun that it can scale uh that it is secure because in a

runtime environment we can perform all of the evaluation and scanning to ensure that those components come together for

a successful result before we go to

production but when it comes to static software if we boil it down to the most basic element static software testing

involves evaluation without running it dynamic testing involves

running it we go to a runtime environment all right fuzzing may come up on the

exam this is a testing technique so it uses modified inputs to test software under unexpected

circumstances so changing the input around to see how the application

uh responds to unexpected inputs uh you know this this sort of testing can uh can flush out things like uh

you know sql injection attacks for example uh or or sql injection vulnerabilities i

should say in your your code fuzzing also involves modifying known inputs

that may trigger unexpected behavior this is the part where you're

asking yourself what in the heck is a synthetic input well so it modifies a known input

which would be real world data to generate a synthetic input so not real world data but that resembles the real

thing this is this is how you can create larger data sets but modifies known inputs to create synthetic inputs

basically more examples that may potentially trigger unexpected behavior if i test

an interface for example with five different options

i might not find a problem but if i test that same interface with 5000 options i might find a problem right so variety

is good and synthetic inputs give us that capability uh generating

generational fuzzing is another type of fuzzing so this develops inputs based on

models of unexpected inputs to perform the same task

security management oversight so so proper oversight of your information security program

obviously important questions around oversight may come up on the exam so log

reviews particularly for administrator for privileged activities to ensure that

systems are not misused periodically we'll also have account management reviews to ensure that

only authorized users retain access to information systems in fact in recent years there are tools out there that

will kick off access reviews in the in the cloud multiple providers have what we call a

privileged identity management system that will kick off an access review where the user or user's manager

reviews their access and verifies that it's still necessary

necessary or says hey i don't need this anymore and the access is re removed backup verification so ensuring that

the data protection process is actually functioning properly this is the most important

thing if you get a question around uh the backup or or recovery program

and and asking you know what's the most important element the most important element when it comes

to backups and dr is that the process actually works full stop all right key performance and risk

indicator so providing a high level review of the security program effectiveness so

looking at key performance and risk indicators will surface a need for evolution of our

process you know security controls don't function at the same level of uh effectiveness or efficacy

forever right they need to be evolved over time to deal with uh the the change in in threats and attack vectors

internal and external audits so you'll you'll need to deal expected to be familiar with conducting or

facilitating internal and third party audits so a security audit happens when a third party performs an assessment of

the security controls that are protecting an organization's information assets so so third party

that means external right and then internal audits are performed by an organization's internal staff and

they're intended for management use in fact we we perform internal audits to ensure that we're ready for third-party

audit so it's it's part of internal audits are part of that process to ensure

that our controls are effective but we can also perform an internal audit that reviews specifically the standards the

third party is going to bring to bear on our organization for example if we had an external audit coming to us for gdpr

we could look at the the kprs kpis around gdpr and make sure through an internal audit that we were

ready for the third party on it that way the third party audit is really just focused on those edge

cases that we missed just just helping us round out our strategy not you know feeding us basics and for the exam i

would suggest assuming that any audit mentioned is a third party audit unless otherwise specified if it doesn't say

internal audit i would assume that it's a third party and that's what i have for you in domain

six that brings us to domain seven security operations

so let's talk about what's in the official exam outline for domain 7 as well as what's new in the 2021 release

we know when we we take a look at what's new that can give us an idea of where we may see some additional focus

in this latest iteration of the cissp exam so 7.1 is understand and comply with

investigations 7.2 conduct logging and monitoring activities

then perform configuration management followed by apply foundational security operations concepts

7.5 apply resource protection then conduct incident management and in 7.7

operate and maintain detective and preventative measures so you see a lot of process driven content here because

this is after all security operations and we're about halfway home here so 7.8 implement and support patch and

vulnerability management if you've been in i.t for long this one may be one of the easier concepts to onboard

7.9 understand and participate in change management this may also be easy for some of us

implement recovery strategies followed by implementing disaster recovery processes

and then testing disaster recovery plans and

in 7.13 participating in business continuity planning and exercises

followed by implementing and managing physical security and finally

in 7.15 addressing personnel safety and security concerns after all human safety is our number one priority

so that one's important i expect physical security is going to be an area that many are a little less experienced

with so maybe a bit more learning and memorization work there and understanding the relationship between

business continuity and disaster recovery planning is important so i will talk about each of those and how they

are related in this chapter now i want to take a look at

what's new in 2021

so we saw that 7.4 was essentially removed which was securely provisioning resources and we saw quite a few

new technologies mentioned in these existing subdomains so some of the topics we saw pop up were threat feeds

user and entity behavior analytics next generation firewalls and web application firewalls as well as

the use of machine learning and artificial intelligence so i'm going to cover all of what's new

right now so we can just get the what's new out of the way and then we'll dive into the rest

of domain seven so we'll start with those firewalls and i did mention these two in domain four

because i wanted to include all of the firewall information in one place for ease of your learning but i'm going to

call them out here again simply because they were raised in domain seven so we have web application firewalls

often abbreviated as waff these protect web applications by filtering and monitoring http or more

likely https traffic between a web application and the internet they typically protect web applications

from attacks like cross-site scripting cross-site request forgery and sql injection just to name a few

some of these waf solutions will come pre-configured with

o-wasp rule sets to address the owasp top 10 threat lists and then we have the next generation

firewall often abbreviated ngfw which is a deep packet inspection firewall that moves beyond important

protocol inspection and blocking it adds application level inspection and additional functions like intrusion

prevention and brings intelligence from outside the firewall often in the form of threat feeds to feed real-time

information about potential threats into the firewalls logic then we have user and entity behavior

analytics which is where entity behavior is collected and it's input into a threat

model and a baseline of normal behavior is established for entities based on historical data and an entity may be a

user it may be a device and over time it establishes that baseline of normal which then enables

analysis to uncover more details around anomalous events around abnormal activity unusual activity you'll often

see an automated investigation feature in solutions that leverage user and entity behavior analytics and machine

learning and ai to allow investigation of anomalous behavior at

scale so security operations can keep up we then have threat intelligence threat feeds these are also called these are

activities that an organization undertakes to educate itself about the threat landscape in the form of a feed

containing malicious entities ingested by cyber security tools and a single feed may be comprised of

many sources including open source intelligence and entity in this case can mean ip website thread actor file hash

certificate it's going to vary by vendor but entity can mean many different elements to identify entities that are

malicious as well as entities that are definitely not malicious you'll also be expected to understand

the role of artificial intelligence and machine learning or ai and ml in security operations which really help to

analyze and improve our cyber security posture in an automated way so so this analysis is no longer a human scale

issue we see that in the form of an automated investigation feature often but ai-based tools have emerged from a

number of vendors that help us to reduce our breach risk and improve security posture by enabling investigation at

scale without the need for a person doing all that work but they can quickly analyze millions of events identify

potential incidents and dig into that data to surface those activities that are in fact actual

incidents that then humans can review and confirm and we see histories of behavior build

profiles on users assets networks allowing ai to detect and respond to deviations from those established norms

from that baseline of normal if you didn't watch domain 1 i did talk at a bit greater

depth about exactly what our artificial intelligence machine learning yuba which we just discussed

as well as deep learning so if you want to understand more about what these four are and how they're related go back to

domain one and watch that i covered it at the beginning for a reason because i think it's going to be important for

your learning throughout the the modules but know that ai and machine learning factor in anti-malware and security

information event management and intrusion detection and prevention and identity as a service and many other

services and that is to say that ai and machine learning are everywhere in security today

and those are the deltas for the 2021 release of the exam let's dig into the rest of our domain 7 content

all right so let's get right into it so we're going to start with some concepts so uh need to know and the principle of

least privilege which have come up in other domains in one respect or another two standard principles that are

implemented in any secure network and at the the root of it they limit access to data and systems so that users

and other subjects only have access to what they require they are preventative they prevent security incidents but

where they don't prevent they also can limit the scope of incidents when they occur when we have an account that's

breached if we've implemented uh security controls access controls the principle of least privilege what we

will do is limit the damage because without these principles the the damage can be

far greater when we don't prevent entirely so preventing fraud and

collusion so collusion is an agreement among multiple people to perform some sort of

unauthorized or illegal actions uh so a couple of ways to prevent fraud and collusion one would be separation of

duties this is where we just make sure that one person can't control all the elements of a critical function

so we have one person who maybe assigns those elevated permissions and we have another person who carries out those

activities but one person doesn't have that full capability end to end where they could

complete that entire end and critical process in a vacuum you know maybe going all the

way out to deleting critical information for example covering their tracks so separation of duties

very important job rotation so rotating employees into different jobs or tasks

so we don't have the same person in in the same role within a process for an extended period

of time this is actually a way you can flush out fraud along with

along with rotating vacation schedules etc because we can see patterns based on who's who's

on duty right but but implementing these policies helps prevent fraud

because it limits uh the actions individuals can perform without colluding with others if we

don't have one person with permission with with capability to go in to end in a process without

talking to anyone else uh we're going to reduce the likelihood it happens because then folks have to be uh working

together to some malicious end so monitoring privileged operations so privileged entities are trusted but we

know that but we know these people can abuse their privileges right it happens so it's important that we monitor

assignment of privileges and the use of privileged operations so we want to monitor who who has been assigned

privilege and we want to monitor when and where and how they are using it but the goal

here is to ensure that trusted employees don't abuse those special privileges that we're granting

them and the reality here is that monitoring these operations can also detect many attacks because attackers

are commonly going to use special privileges right if an account is breached for example if an identity is

compromised they're going to use the attacker will use that privilege to carry out their attack so if we

see that sally has global admin rights on a cloud platform

and she's performing actions right now that require privilege but sally's not on duty we know we have a problem right

we've surfaced we've we've flushed out an attack in progress because we were monitoring those

operations so the information life cycle so it all begins with creating information right so information can be

created by users so you know a user creates a file for example right but information can also be created by a

system like when a system logs access when we're when we're logging and monitoring

privileged operations for example so shortly after creation we want to make sure that data is classified right so if

you're in the financial services industry and you have a document that has

financial data in it or personally identifiable information we want that information classified as soon as

possible so we can properly secure it as it is stored right because if we don't have that classification in place

so our security controls are applied then we have a window of opportunity where

that data can be scooped up or leaked in some fashion because we haven't uh classified quickly enough and the

data should be protected with adequate adequate controls

based on that classification that's that's why it's so important to get your

classification in as soon as possible and when we think about usage usage in the context of the information life

cycle refers to anytime data is in use or in transit over a network for example

archiving data so sometimes we have to to archive data to comply with logs or regulations that require us to retain

the data and and there are regulatory requirements out there that

might require us to keep data for seven years or even longer in some cases so archival is one way we do that and then

when we get to the end of information and information's uh life cycle we need to destroy that data and when it's no

longer needed it should be destroyed in a way that it is not readable and a couple of things here we talked

about in an earlier domain that if we if we let data stick around longer than it's needed it can result in in legal

issues right uh but we want to also make sure that it is not readable or recoverable we talked about

previously in the series how just deleting a file from a hard drive for example doesn't mean that it can't be

recovered through forensic means so we want to make sure that when we're destroying data we are

destroying data so it is not readable or recoverable all right so service level agreements

will definitely come up when we're we're talking about uh when we're covering subjects like

disaster recovery and service level agreements stipulate performance expectations like maximum downtimes

or availability numbers you know the how many nines we're putting out there these are generally going to be used

with vendors now can a service level agreement exist between entities within an organization they can generally

speaking between departments or business units in an organization you will have what they

call olas or operational operations level uh type agreements so secure provisioning which came up in

the official exam outline so secure provisioning of resources ensures that resources are deployed in a secure

manner out of the box and they're maintained in a secure manner throughout their lifecycle so for example when we

think about uh secure provisioning we deploy a pc from a secure image we have a gold image

if it's a virtual machine we have a vm template if it's an application that runs in docker for example we'll have a

container image that's been properly scanned to ensure that it is

exactly as we we think it to be and doesn't contain any any malicious uh code or applications

uh virtual assets so so you know the world is is you know compute and network are

virtualized especially when we get to the cloud but virtual assets can include virtual machines they can include

virtual desktop infrastructure so vdi has gotten bigger over the years and and in

2020 it really this this industry really blew up even more with with work from home

increasing uh software-defined networks fall into the category of virtual assets uh virtual storage area networks

hypervisors are i think the number one thing we think of when we're talking about

uh virtual assets but both uh you know because the hypervisor gives us just

another target right if you can if you can compromise the host you can potentially compromise all of the

virtual assets that ride on that host the virtual networks the virtual machines etc so both your hypervisors

and your virtual machines have to be patched right to keep them up to date but you've

got compute network and storage there that are all virtualized in some respect

all right so continuing down this road of virtual assets

we can potentially have security issues around our cloud-based assets so storing data in the cloud

in theory increases the risk so we have to take steps there to make sure that we're protecting the data depending on

its value and and certainly if we're storing data in the cloud they're going to be

security recommendations from that cloud provider to make sure that that we're using the service the cloud service in

the way it's intended but what you'll also find in

cloud storage is shadow i.t can be a problem we find that our users are potentially using

uh cloud storage apps that we didn't intend so if you're a microsoft shop you're probably

using onedrive in sharepoint but you may find with a little looking that your employees are also using dropbox or box

and that's what a cloud access security broker or casby uh can really help you with is is flushing out uh unsanctioned

apps in your environment that potentially increase our risk further because

they're outside of our radar so we talked about the the casby uh a domain or two back

and when you're leasing cloud-based services you do want to know who is responsible for maintenance and security

because the cloud represents what we call a shared responsibility model i'm going to give you a clear diagram of

this in about 30 seconds so stick with me and it's the cloud service provider that really gives us uh the least amount

of maintenance and it gives us uh security in the the is model

so it gives us least amount of maintenance but it also gives us security not not least maintenance and

lease security it's it's least maintenance and good security in that is model but let's talk about

responsibility right so when you have a hypervisor and you're running virtual machines in your data

center it's yours right you're responsible from the wire up physical layer to application layer now when we

move into the cloud when we're looking at is or infrastructure as a service these are virtual machines you'll notice

that the cloud service provider the csp has some responsibility there right they're handling the infrastructure for

you they're handling the hypervisor the networking the storage the servers as we move into platform as a service

you'll see here that the csp is taking on even more responsibility now they're handling the the runtime the middleware

the os so so there are many cloud-based uh database platforms for example where you're you can deploy databases uh

potentially have your own database server but you're not responsible for a lot of that stack

right you're you're really focused on your data and your apps at that point and if we go all the way to sas

something like office 365 for example you are a consumer of a service so you are really truly just the

customer in that that case configuring the services you'd like

and all of the responsibility is on the csp but you see as we move across the model they're the responsibility of the

the csp the shared responsibility is shifted from your organization to uh that cloud

service provider so let's talk about configuration and change management so so these are

important on their own but they also factor when we're thinking about incidents and

outages because good configuration and change management can prevent incidents and outages because it improves they

improve our security and the consistency of our configuration so configuration management ensures that

all of our systems are configured in a similar fashion that those configurations are

known and they are documented in fact there's a practice called baselining that ensures

our systems are deployed with a common baseline starting point imaging is a common baselining method

and and really uh using policy-based configuration of your security is another way to establish consistency in

configuration when we use a policy that is automatically deploy applied as we deploy new resources we we have

confidence that our configuration is consistent uh throughout but that baselining

process uh you know start can can start with imaging it can move into to policy based

configuration and in configuration management this is a process where we also have to to have

uh you know some continuous scanning or periodic scanning to make sure that we don't have shift and drift in our

configuration that our configuration remains consistent uh that we don't have a gap in access

controls that have allowed people to manually change our configurations in a way that we're not

aware of or okay with and change management can go hand in hand with this because

change management will help reduce our outages or weakness weakened security from those authorized changes right when

we have a change management process in place

we're going to always make sure that those changes have been

you know documented discussed tested and they're they're authorized right so versioning uh

uses a labeling or a numbering system to track changes in updated versions of software uh these these can be really

helpful in the change management process because we know what version we're on if we have a change that rolls out and we

need to roll back we know exactly what version of the environment we're going back to but the key here is that this

this process requires changes to be requested approved tested

and documented right and this can also really work as a deterrent control because anyone

thinking about making unauthorized changes will be aware of your change management

policy and will know that they're breaking the rules if they go outside this this

process of request approval testing and documentation the exam may test your knowledge of the

patch management process or update management you may sometimes hear it called

which ensures that our systems are kept up to date with current security patches and the process generally involves

evaluating testing approving and then deploying those patches in larger companies you'll see the evaluation test

and approval process is fairly well structured and formalized in small to medium businesses oftentimes we'll see

this is less formal and in the the smallest businesses many times we'll see that windows for example is

simply allowed to automatically deploy those patches on its own and then of course after the fact we

need to verify the deployment of approved patches to these systems that's where your vulnerability scanner can

help and for major patch deployments patches that perhaps

involve new functionality for example will want to make sure this is intertwined with their change in

configuration management and in larger organizations you'll see the patch management process tied into change

management so the it organization knows when this is happening and it is a fact that orgs without patch

management will experience outages at some point from known issues that could have been prevented had they simply kept

their security patches up to date so just to visualize that patch management program as it was articulated there we

evaluate patches test the patches approve the patches deploy the patches and then verify the

patches are deployed now the verification we can do with a vulnerability scanner

certainly if you are using a third party or even a microsoft enterprise patch management system

generally there will be a report there that can help you verify but a vulnerability scanner

is an external source of truth that i think is worth employing on a recurring basis

like monthly for example i mentioned vulnerability management was going to come up there are three

concepts we want to talk about here so vulnerability management includes

routine vulnerability scans and periodic vulnerability assessments so so typically when you're getting

a penetration test any quote for a pen test is typically going to come with a vulnerability scan

as well because they'll use the output of the vulnerability scan to identify targets uh that they can then uh you

know go into us do some poking and prodding to see if they can breach in the the

penetration test and not to say that's the only time you can do that many organizations are the you know the most

secure organizations in my opinion are going to be performing their own vulnerability scans on a routine basis

which will flush out issues in other processes like patch management as i mentioned vulnerability scanners

are the you know the the technical component that can detect those security vulnerabilities and and weaknesses the

absence of patches or weak passwords and surface that back to us many companies out there uh that

produce vulnerability scanners uh you know tenable is a great scanner qualis is another vendor uh that comes up in

this space but many out there i'm not recommending either of those i'm just kind of calling out that you have a lot

of options out there in the space vulnerability assessments go beyond that technical scan that

technical scan is just a piece of software scanning a list of hosts or ip addresses

the the assessment extends beyond that scan and can include reviews and audits to detect vulnerabilities it uh

generally speaking will include a person then applying specialized knowledge to uh to take that

one step further the exam focuses on incident response in a seven step process you'll need to

memorize these steps in order here is the memory device i use to remember those steps

drm rrl the first letter of each of those steps

drum roll not spelled exactly right but it certainly sounds the same when you look

at it right so drum roll is how i commit those seven steps to to memory and if we break those out

so we have detection uh which might include our monitoring tools intrusion prevention firewall users

notification to management of the help desk we have response triage is it really an incident

you know here we have a decision to declare yes this is an incident uh mitigation so this is our our first

containment effort or step uh this is where we create our our our response team

reporting to relevant stakeholders customers vendors law enforcement recovery returning to normal operations

then in the remediation step we're addressing root cause and then lessons learned where we talk talk through what

happened this helps prevent recurrence and improves our incident response

process so the those seven steps if i just laid them

out here again i want to just call out some key details that you want to commit to memory for the exam okay so limiting

damage happens in the response phase that's where we initially respond to the incident

mitigation is where we contain that incident we contain the scope

reporting and recovery are management decisions incidentally so just park that in the back of your mind

and then remediation is where root cause analysis is addressed if you have questions that come up on the details

beyond the seven steps these are the four areas that i think you'll see questions on so you may just

want to commit these to mind you will be expected to know denial of

service attacks so denial of service attacks prevent a system from responding to legitimate

requests for service service it essentially uh chokes the resources of a system or in some way blocks it from

properly uh responding and and you often we hear about distributed denial of service attacks where we have

ho you know many hosts we have have bots out there zombies you know compromise systems around the world that are used

to to really provide a heavy um a heavy load in denying services so some common denial of service attacks

you have the the sin flood attack which disrupts the the tcp three-way handshake that's the key piece i want to give you

sort of a key aspect of each of these attacks so when you see them on the exam you can pick out the right one

another common dos attack is a smurf attack which employs an amplification network to send

many response packets to a victim and now you're asking what the heck is an amplification network uh it's

essentially a network of host computers that permits broadcast messages so you're generally speaking they're going

to be under control of the bad guy the bad actor that is

trying to perform that attack so the smurf attack is is actually uh one of a number of attacks that fall

into a category called amplification attacks uh the ping of death attack which is

characterized by the fact that it sends oversized ping packets to the victim causing causing a freeze crash or a

reboot in a system so you'll find that newer attacks

are sometimes even variations on older methods you know when security tooling and processes advance

sometimes they are able to stop those those legacy attacks cold and that's where the the other bad actors

will will improvise or evolve themselves and and tweak those attacks to create a new

variation that then again uh does the job for them so bot botnets controllers bot herders

uh your represent significant threats due to the sheer

number of computers that can launch attacks you know it's difficult for um many businesses certainly small and

medium businesses that are that are hosting their own services to deal with attacks at a certain level of scale

that's that's actually one of the uh the key one element of key value of a cloud

platform as your your major cloud providers out there are going to have some built-in protection for you against

some of these attacks at scales but uh at scale but a botnet is a collection of compromised computing devices there are

a lot of times they're called bots or you might hear them called zombies

the bot herder is simply a criminal who remotely controls those zombies they have what we call command and control

access so they're they're basically sending orders uh to to those those bots to the zombies

and they often use the the botnet to launch attacks on other systems this is where you know a distributed denial of

service attack would come come from or where they might send out you know spam or phishing emails

uh a honeypot now we talked about a honeypot in uh in a in a previous uh lesson i want to touch on this from a

slightly different perspective just to layer in some additional info for you here so a honeypot is is a system that

has pseudo flaws and it has fake data to lure intruders the key there is that it lures and distracts the attackers we

talked about uh the importance of not actually allowing somebody to uh entrapping

somebody to commit an act we're giving them fake data right we don't give them real data to to download to commit an

actual crime because that then hurts our chances in the legal process because we have

entrapped so we're luring and distracting and as long as the attackers are in the honeypot they're not in the

live network and our admins can observe right and and some some of your intrusion detection systems will

have the ability to transfer attackers into a a padded cell

after detection okay and here's another one of those what the heck moments here what

what the heck is a padded cell it's a hardened honey pot um

like honey pots padded cells are going to be well instrumented they're going to offer

unique opportunities for a would-be victim you know organization to monitor the

activities of an attacker but think of a padded cell as a hardened honey pot at its

simplest so blocking malicious code there are multiple approaches here

generally used together you know the best the best security strategy is what we call a layered defense sometimes

called defense in depth so there are many approaches to blocking malicious code a simple one using anti-malware

software anti-virus software sometimes called with up-to-date definitions installed on every system at the

boundary of a network and you'll have anti-malware sort of protection on your email servers

or in your email service if you're using something that's cloud-based and anti-malware software particularly on

your clients nowadays well in email too they they generally speaking have a fair bit of intelligence

there's some ai and machine learning that are helping to identify unique threats never before seen threats

identifying suspicious uh potentially malicious behavior you don't you don't see anti-malware software anymore that's

working on the old model of just definitions uh policy so enforcing basic security

principles like lease privilege for example preventing regular users from installing potentially malicious

software i'm a big fan of making sure that my users

are not running as local administrator on on their workstations for example as one example

and we'll use policy based enforcement for example to make sure that users can not only not install software but for

example they can't load chrome browser extensions that we don't authorize because there are hundreds of

chrome browser extensions out there that are that are compromised in that marketplace in some way or susceptible

at least education so educating users through security awareness training about the

risks and methods attackers commonly use to spread viruses so we're teaching them about phishing we're teaching them about

social engineering this is a great recurring activity a lot of organizations do this quarterly and it

doesn't have to be a lengthy session you know half an hour once a quarter can greatly improve

your uh your your organization scores on your fishing simulations so penetration tests

uh start by discovering vulnerabilities and then mimicking an attack to identify what

vulnerabilities can be exploited so i mentioned that vulnerability scans typically come

as a line item on on many penetration tests that's because the vulnerability scan reveals the weak

spots and then the the smart penetration tester can come in and do some research on those those

potential targets to see if they can be exploited penetration tests should not be done

without the express consent and knowledge of your management i i've seen an

organization that was actually impacted when an engineer got a call and during the day he was getting a

pitch from a salesperson about this great vulnerability scan that would reveal

weaknesses on their website and uh with that organization they found that they were

under what they thought was an attack and it was actually because this engineer said hey yeah give us a scan

and let us know and i'll take that to management you know thinking he might be the hero to sell some new software

and it actually caused an outage so you never authorize or or perform your own pen

test without notifying management and that's you know one of those things you want to know for

the the exam because it can result in damage so we want to make sure that we're working with with isolated systems

or if we're having pen tests you know performed on our production systems we do it

at a time of minimal activity we schedule that we inform users and customers so

if a system is unavailable it's not a surprise to anyone there are three varieties of penetration

tests you should be aware of and they are black box white box and gray box testing so with

black box testing the pen tester has zero zero knowledge essentially uh with white box testing i kind of call this an

open book test you sit down with your penetration test vendor you tell them all about your

environment and and you know maybe all the way down to you know the operating systems that are running on these

systems so they can really give it their best shot to get through your layered uh defense your your defense in depth

all your layers of security those protections you put in place and there's a middle ground there where you can

provide partial knowledge and and let them have at that too but when you know when an organization is

getting uh great scores on the black box testing that's when it's a good idea to move into gray box or white box testing

give that give the penetration tester an open book and let's you know let them do their

worst and see if they can find some weaknesses that we can firm up and and further

improve our security posture so let's talk about intrusion detection

versus intrusion prevention we've talked about intrusion detection systems and intrusion prevention systems previously

i want to go at it from a slightly different angle here so you'll be ready for anything that

hits you on the exam so an intrusion detection system can respond by passively logging

malicious behavior that it sees it can send notifications or it can actively change the environment

an intrusion prevention system is typically placed in line with the traffic it includes the ability to block

malicious traffic before it reaches the target so in that respect if you look at those two realities

the the ips is more proactive because it can it can block malicious traffic before it

reaches the target where the ids is letting us know that something potentially happened and then

potentially correcting that condition but it's more reactive right and and you'll find that there's there

are flavors of these so they're flavors of intrusion detection uh there's host based intrusion detection which can

monitor activity on a single system and the only one of the drawbacks here is that an attacker can discover that

you're running these and and disable them and some of your operating systems for example will have you have some sort

of native uh intrusion detection that's host base that you can turn on and if the attacker

sees what operating system you're running or they have you know a preset scan where they look

for the various uh you know intrusion detection systems out there they can potentially find it and disable it

that's where a network based uh ids comes in so network-based intrusion detection can monitor that

activity on the network and it's not as visible to attackers and and i like to run

both of these at the same time that is possible you do of course want to do some some

testing to make sure you're not doing any any negative damage because you're uh you're you want to make sure you're

detecting real malicious activity and not getting false positives from your

business applications right many environments i see running host-based and network-based

together in harmony for the exam you will also want to know the difference between espionage and sabotage

so espionage is a threat from an external source so when a competitor tries to steal

information for an example now they may use an internal employee to get the job done but it's an external threat

sabotage on the other hand is an insider threat so malicious insiders can perform sabotage against an

organization if they become disgruntled so you might that might manifest itself in the form of mass file deletion or

somebody shutting down a bunch of systems in the middle of the day we've seen in the news you know a handful of

you know cases of of uh you know fabulously horrible sabotage where somebody carries out a not so

clever uh malicious activity that results in damage to an organization and typically results in damage to the

disgruntled employee who tries to carry it out so zero day exploits so a zero day

exploit is an attack that uses a vulnerability that's either unknown to anyone uh but the attack or

or maybe only known to a limited group of people but for which there there is you know generally not yet a

patch because it's it's zero day it's just just being revealed to the world so

basic security practices can still often prevent zero day exploits

from from being fully utilized to you know compromise our organization

that's where a layered defense comes into play you know if we have a zero day exploit on

windows for example if we have a layered defense so our attack would be attacker can't get a foothold on that system

can't get an employee to download a phishing email they can't exploit that zero day exploit so so basic security

practices are often the the best defense against any any sort of zero day attack so i promised you log files was going to

come up in this domain and here we are so data is recorded in databases for

example in different types of log files and it's not just databases cloud services for example any any cloud

provider out there microsoft amazon google they're going to have

logging that logs for example authentication attempts going to have

logs around activities provisioning and de-provisioning activities the

applications you're running will have logs firewalls have logs proxy servers have logs windows and linux host have

logs those those are just a few of many you do want to make sure that you're

protecting your logs by centrally storing them somewhere

making sure you're using permissions to restrict access because we don't want that

that log to be modified in any way archived archived

logs if we centrally store and protect them we can ensure that they cannot be modified if we're

archiving logs over to to to some storage medium for example we would want to make sure that there is some sort of

read-only bit there to prevent modification that that storage is immutable

that the the record stands and may not be modified because certainly when we move into

into investigation mode and particularly where law enforcement is concerned and the legal process is concerned

the integrity of that that audit trail is going to be very

important so monitoring is a form of auditing that focuses on

active review of our log file data so this can be used to hold subjects accountable

for their actions and it's also used to monitor system performance but but certainly by monitoring our logs we can

we can find negative activity it's going to hold subjects accountable but if we're

looking at example for a looking at a sign in log so our authentication history we can find

uh not only subjects potentially doing things that we're not

uh that we've not authorized but you can potentially surface attacks from there right so if we have an identity that's

compromised if you see that an employee in in toledo is

is logging on from tunisia no offense to tunisia you know we know we have a problem right

and and tools like intrusion detection systems or or security information event management systems which is a

centralized uh solution can automate monitoring and do some real-time analysis around these

events so so we don't have to do a lot of manual investigation there systems out there that will do the heavy lifting

for us and surface that uh questionable activity even sometimes automatically creating an

incident for us and doing some scanning to help proactively find the scope and then we focus on uh moving the uh the

event forward from there so the value of audit trails i mentioned audit trails just a minute ago

so these are the records that are created uh by recording information about events

into into databases or log files so so if we look at a a server for example we're going to see

events recorded around authentication around access around any action we take on a an application or a file on that

system you know the same is true in the cloud we'll have what we call both data plane

and control plane logs up there that tell us about uh of

events at different levels you know provisioning events deprovisioning events and then actions uh down within

our resources we can use these audit trails to reconstruct an event to extract

information about an incident we can use this to prove uh culpability

in an event we can prove that somebody you know done it or or didn't do it right

and this is really a passive form of detective security control

but but audit trails are essential evidence in prosecution of criminals so we have

to make sure we have that we're collecting enough data so so when you're collecting

data you need to make sure you're collecting data at a a level of verbosity that gives you

an audit trail in fact windows is the easiest example i can give you here when you're when you're monitoring windows

many tools out there will ask you what level of monitoring you want to do and there's there's a level somewhere in the

middle sometimes called common and it's flagged as this is the minimum level you can you can authorize that gives you the

audit trail and if you drop below that then we have a problem right because we're missing

uh potentially events that would factor into this audit trail so when you when you pair back your logging

always have the audit trail in the back of your mind because when the chips are down when you have an incident when you

have a breach when there's criminal activity involved this audit trail is going to be

important sampling so let's talk about flavors of sampling so sampling is the process of

extracting elements from a large body of data to create a a meaningful representation or a summary

of the whole so there's a process called statistical sampling that

uses mathematical functions to extract meaningful information from a large volume of data so that's typically going

to give us a more accurate representation if it's done right than just a manual sampling

and then there's clipping which is is a non-statistical sampling that records

only events that exceed a specific threshold so there may be scenarios where

where we only care about events that are over a certain threshold that are only focused perhaps on on a certain level of

security clearance for example so so know the difference between sampling statistical sampling and

clipping there's your high level difference that i've highlighted for you and then maintaining accountability so

so accountability for our individual subjects um happens through through auditing

for example so a log records user activities and those users can be held accountable

for their logged actions so so we talked about subjects and objects when we talked about

security models a few domains back so remember the user is typically the subject so users and systems can access

objects which are those resources that we're we're concerned about this

you know account maintaining accountability directly promotes good user behavior

compliance with our security policy because it represents a deterrent control

and in effect because folks know that the organization is watching and

they are monitoring for compliance with the organization's security policy so security audits and reviews may come

up on the exam so security audits and reviews help ensure that management programs are both

effective and actually being followed they're commonly associated with account management practices to prevent

violations around lease privilege or need to know principles that we we covered earlier

but they can also be used to oversee many programs and processes like

patch management vulnerability management change management configuration management so having that

that audit process in place so we can go back and periodically check to make sure

that our our management programs are not only effective but they're actually being implemented as they are documented

you know common example we see folks get lazy with with change management or with uh

with incident management and somebody will you know slip a change in without

without proper documentation or you know a user for example calling somebody or chatting with a help

desk rep to get help on a problem without logging a ticket in in the help desk system as an

incident or a a service request frequency of audits so so

what is auditing i suppose it's probably good we start here so so auditing as a

methodology is a methodical examination of an environment to ensure compliance with our regulations to detect any

abnormalities unauthorized activities outright crimes anything outside the scope of our

security uh policy and it serves as a primary type of what we call a detective control

and the frequency of the audit is based on risk and the degree of risk affects how often that audit is

performed so the frequency is is how often it's performed and when risk is higher the frequency of

audit will be greater we will we will audit more frequently for those higher risk activities

involving uh our most valuable assets or processes that that relate to our most valuable assets

so secure it environments rely very heavily on auditing and regulations require we talked in a previous domain

about internal and external audits so so secure it environments will will carry

out their own internal audits frequently and that helps them prepare for those external audits they really have their

eyes on what is that external entity uh going to be auditing for and particularly for

organizations that are subject to specific types of compliance uh you know the stakes are very high in those

internal audits you know if you're uh if your organization uh is is beholden to say pci dss which relates to handling a

credit card data for example internal audits to make sure you're compliant will be exceedingly important

so auditing and do care so security audits and and effectiveness

reviews are key elements in in displaying what we call do care so without them

senior management would would likely be held accountable and liable for any asset losses that occur so so what does

do care well do care by definition means that our leadership are acting with common sense prudent

management and responsible action that they are not being negligent so in a supplemental session in the near

future i'm going to talk about how we can decipher questions on the exam to get to the

right answer more often and do care is an element we want to be able to recognize within

the questions when it comes to do care i i say quite simply actions speak louder than words

so we'll we'll touch on on deciphering that in questions in a future

session so let's talk about controlling access to audit reports so we carry out these audits they're going to be

documented in a report and audit reports often contain sensitive information they're going to

include the purpose of the audit the scope of the audit what what infrastructure applications

you know assets did we look at and what was discovered or revealed by this audit and this can include

uh your problems uh you know the standards were working under the the causes

of the deficiencies and our recommendations so this can be really revealing

to uh a malicious entity if this falls into the wrong hands the uh the stakes

and the and the potential damage can be great and really only people with sufficient

privilege should have access so for example um our senior security administrators

would have access to the full detail generally speaking because they're going to to have some response they have

expertise in the area and they're going to have some responsibility in remediating at that fine grain level of

detail potentially senior management on the other hand doesn't need all of the nitty gritty

detail right they need the high level summary where where are we as an organization they

need to to meet their requirement for due care so they need to understand how are we

doing as an organization in this area and if there's something to be remediated they can say hey we didn't do

well here make it so and that closes the loop with with management but controlling access to audit reports

something you'll need to be aware of for the exam so let's talk about access reviews

and user entitlements so an access review we've talked about this uh in we've talked about auditing

so an access review is something of an audit that ensures that object access and account management

practices support our security policy so this goes hand in hand with with user

entitlement audits uh which ensure that the principle of least privilege is followed and it often focuses on

privileged accounts in fact in in some of your your cloud platforms they'll have a a privileged identity feature

that will include an access review feature that you can schedule that can kick off and you know managers can can

then be asked to perform the review and check the box to just say yes we still ne these individuals all still need this

access some of these uh platforms will even include a self review capability where

an individual with with privileged access can

proactively say hey i know you know that project is over i no longer need that access and they can give that access

back or ask that it be removed so uh access review and and user entitlement kind of go hand in hand

in my mind but but understand access review and user entitlement

and you should be in good shape there so auditing your access controls is something that needs to happen regularly

really continuously in my opinion you want to be watching your your logon success and failure events this will

surface attacks you know in the event of of you know mass

uh logon failures you can find those malicious entities that are out there trying to to breach

uh to compromise identities uh log on successes can reveal anomalous logon events logons that are happening in

strange circumstances from unknown devices unknown previously unseen locations for example

we can we can look for uh anomalous

resource or object access if we're thinking about subjects and objects as we talked about in in the security model

the the resource the object access could be

something that's spotted for example we see a mass file upload data exfiltration that's

going to set off an alarm bell right intrusion detection systems and really a lot of some of the modern security

suites out there the security stacks that come from some of the big players can monitor these logs and and feed data

into a central system that that has you know context of the different activities happening at

your perimeter in email on your endpoints and identify those attacks and and notify administrators and those

those suites uh you know those platforms are often automated auto reporting they're

supported by ai they simply require you to buy the right licenses and toggle the right switches to turn the features on

deploy the agents etc but but in in modern times there's a lot of of intelligence and machine learning and ai

even behind uh some of that detection and notification so let's talk about

computer crime now when when crime and laws come up on the cissp exam they're largely going to be in the context of

the united states though the big exception being gdpr um

so so some of my my comments around crime are really in the context of the the u.s system so a crime

or a violation of a law or regulation is is something directed against or that

directly involves a computer that is a computer crime so simple enough uh computer crimes are classified as one of

the following six types so we have military and

intelligence attacks business attacks financial attacks terrorist attacks

grudge attacks and thrill attacks these are almost entirely self-explanatory

when you when you read them here right um there's a bit of a bit of additional

reading here in the official study guide if you want to dig down um you know there's six degrees of kevin

bacon and there are six categories of computer crime if you don't know what i'm talking about with six degrees of

kevin bacon when you have nothing else to do go look that up and you're certainly never going to forget

at this point that i've tied these two things together and there are six types six categories of computer

crime that you need to be familiar with e-discovery or electronic discovery so organizations that are expecting a

lawsuit have a duty to preserve digital evidence and a process that's called

e-discovery so that process would include activities like information identification and governance

preservation and collection of relevant data processing uh review and analysis of

that data many times the the collection process is search driven or maybe it's tied to a specific subject

you know the the subject remember being a user or a system uh when we get to process review and analysis even more

often times human analysis and then uh production and presentation of that that evidence you have an organization

is hit with a lawsuit they will be asked to produce evidence that meets certain criteria

and they would carry out these activities uh identifying the information preserving it collecting it

reviewing it to make sure they have all the relevant data uh that meet the uh the legal request that typically comes

from the court and then producing that information and a lot of times this involves

the use of tagging classification target

specific custodians so the custodian of data would be the the person responsible for that data sometimes the person who

who created that data generally speaking gathering information

for investigation so so together sufficient information from equipment software and and data from from

equipment that requires a couple of things it requires possession so we have to have possession of the equipment the

software the data so we can analyze it to use it as evidence

and we have to acquire that evidence without modifying it or allowing anyone else to

modify it uh in in the in line and without modification is super important in the

legal process so law enforcement establishes a chain of evidence a chain of custody to document

all who handle evidence so so where that evidence was from

its original point of existence to its presence in front of a judge in a courtroom is carefully tracked and

accounted for so one can prove that it was not in the hands of some unknown or unauthorized party where it was

potentially modified so alternatives to confiscating evidence so confiscation is is a

an act an aggressive act of of going in through some legal means to to confiscate to collect

evidence so we can work on voluntary surrender so we can ask the person who owns the evidence to

voluntarily surrender it for investigation we can use

we can use the subpoena process uh where we where the the courts can compel a subject to surrender the uh the

evidence we can use a search warrant uh which is most useful when you need to uh confiscate evidence

uh without giving a subject an opportunity to alter it so when is it when you want to collect

a hard drive from a bad actor a search warrant is a great way to show up with with law enforcement and

confiscate that evidence without giving advance notice to that that party

so because you're going to discover some incidents

after they've occurred you're potentially going to lose valuable evidence unless you ensure that

critical log files are retained for a reasonable period of time and you can retain your log files and your

system status in place or you can do that in an archive uh

and and how long is a reasonable period of time depends on the uh the sensitivity of the data the

value of the assets to which they apply any regulatory requirements that may mandate

a period of of data retention data retention should really be defined in your security policies and defined

uh individually for different uh you know data classifications or and

different assets based on their their value their sensitivity their applicability in in

certain regulatory uh requirements that your organization may face but data retention should be

defined in your security policy so there's no question about this and when that time comes that you know an

incident has occurred maybe you don't learn about it for days or months or even years later

you haven't lost that evidence because you put the appropriate

retention in place so let's talk about evidence so in a word evidence is your proof in a

a criminal proceeding when we're talking about crime so there are quite a few different types of

evidence the best evidence is original secondary evidence would be a copy

direct evidence proves or disproves an act based on the five senses

most often meaning something that was was seen and or heard in the first person you have conclusive evidence so

incontrovertible meaning it just can't be disproven we have you know the act on a camera we we see it

in in live action so there's no question

uh what was carried out circumstantial evidence on the other hand where the action maybe wasn't seen

directly but it can be inferred from other information this often comes up in

financial crimes for example corroborative corroborative evidence corroborative evidence that's a a lot of

syllables there supporting evidence uh that cannot stand on its own it has to have other

other evidence alongside to be useful um opinions there are expert opinions and non-expert opinions so you'll see

expert witnesses in court there to support you know one party or the other's

opinions or their assertions by providing their expert opinion on a topic

there's hearsay which is evidence not based on firsthand knowledge so so it wasn't

um wasn't uh seen or heard it's not provable through

a first party's five senses but you know maybe somebody else some some intermediary heard something

and can provide some some information around the event but your evidence has to be

relevant complete sufficient and it has to come

has to be reliable it has to come from reliable sources there has to be a chain of custody

so let's talk about evidence admissibility and taking all of this with the

understanding that i am not a lawyer right i am giving you cissp driven information

and a lot of time watching crime dramas on television uh so types of evidence that may be used in a criminal or civil

trial so so according to the official guide here there's real evidence that consists of actual objects that can be

brought into a courtroom there's uh documentary evidence which consists of written documents that can provide

insight into the facts there's testimonial evidence which consists of verbal or written

statements made by witnesses

so be familiar with these three for the exam for sure so

requirements for evidence to be admissible in a court of law so so the evidence has to be relevant

to a facted issue in the case it has to be material to the case

they it's also stated that the evidence must be competent or legally collected now you've heard

the word competent when talking about someone being competent in a particular skill so let's talk about what that

means in the world of evidence evidence is considered competent if it complies with

what we call traditional notions of reliability so that the court that the court is satisfied that the

the source and the handling and the type of evidence all fit into the

the traditional notions of what is considered reliable and dependable evidence so let's talk about collecting

evidence so so when do we need to collect evidence well really as soon as you discover an incident

you want to collect evidence and as much information about the incident as as possible because we can use that in a

subsequent legal action or potentially in finding the attacker's identity and evidence can

also assist us in determining the extent of damage so when we tackle this sooner rather than

later there's less less information to go through often

this goes hand in hand of course with with that audit trail and logging and data retention there but but collecting

sooner rather than later is going to improve our chances of success and where people are involved will find

individuals memories will be fresher and their recall better when we're talking to them shortly after an

incident as opposed to months later so you'll need to know the common types of natural disasters that may threaten

an organization those will include earthquakes floods storms tsunamis you know tidal waves

volcanic eruptions and what what your organization is exposed to is largely dependent on your physical location

if you live on the coast uh hurricanes or typhoons may be common if you're in the pacific rim volcanic eruptions

if you're exposed to earthquakes earthquakes also are a source of tsunami so an earthquake

can cause a tidal wave so those kind of go hand in hand man-made disasters you want to be

familiar with as well for the exam these could include explosions electrical fires terrorist acts power outages other

utility failures and you remember in an earlier domain we talked about you know dealing with fire as one

example so let's talk about disaster recovery so you will be expected to be familiar with

the different types of recovery sites so let's start with hot warm and cold sites so a cold

recovery site a recovery cold site essentially is just a data center space it's power and network connectivity

that's ready and waiting when you need it to recover your engineering team is going to move your hardware into the

data center and get you back up and running so that's going to be a lower cost it's going to be higher effort to

recover because you really have an empty room waiting for you to move equipment and

there your infrastructure in there to get things running again so recovery time will will also be

longer so a warm site uh what we call a preventative you know warm site allows

you to pre-install your hardware pre-configure your bandwidth needs when when you have that disaster all you

have to do is load your software and your data to restore your business systems it's

going to be a bit less effort it's going to be a little more expensive so the cost and effort are somewhere in the

medium range if i'm i'm comparing this relative to cold and hot sites so the proactive

hot site allows you to keep servers and a live backup site running and really you're replicating your

production environment in that data center so recovery means uh you can you can immediately cut over

in case of a disastrous primary site so a hot sites you know typically going to be a must for mission critical site

that's going to be more expensive the effort to recover is going to be less uh your failover is going to be

uh quicker so going down that road recovery sites and those three recovery sites hot worm

cold we're really thinking about you know what i described there sounded like infrastructure right so talking

about types of recovery sites there's a the concept of a service bureau this is a a company that leases

computer time service bureaus own large server farms and often fields of workstations so they can uh i see

service bureaus in helping get you know end users back online and running you know these may be on-site or remote you

could have employees go to a service bureau they could just remote into a system that's configured to do what you

needed to do um mobile sites these are you know a

non-mainstream alternative to traditional recovery sites they typically consist of self-contained

trailers or other easily relocated units and and you know strategy involving

multiple sites is just what it sounds like and it may mix and match some combination of the aforementioned

options but having multiple sites that you could recover depending on the the nature of and the scope

of the uh the disaster so rpo and rto these are acronyms you will want to be very familiar with

you'll want to know the difference so so rpo is a the recovery point objective this is the

age of the files that have to be recovered from from backup storage for normal operations to resume

if the system or network goes down and the recovery time objective is the duration of time and a service level

within which a business process has to be restored after a disaster to avoid unacceptable

consequences so rpo and rto these tend to go hand in hand but be familiar with the

definition of each mutual assistance agreement so these are are fairly rare in my experience so so

just the pros and cons here so a mutual assistance agreement is where entities agree to provide

assistance to one another before during and after an emergency uh event to facilitate rapid uh

mobilization of personnel equipment supplies uh you'll see this happen between you

know government agencies at various levels this can happen between commercial organizations as well

uh and and this can be mutually beneficial because it can provide an inexpensive alternative to disaster

recovery sites where maybe organizations agree to provide some sort of failover capability for one another

um you know it does come with some some negatives you know certainly it's it's

less expensive the risk you know of organizations participating in

an mma is that your partners may be shut down by the same disaster and mmas can raise

confidentiality concerns um why are these not so common well they're

not commonly used for one reason because they're difficult to enforce certainly the risks make them less common but

they're difficult to enforce as well if one side lets the other down then it comes down

to courts and paperwork and that doesn't help anyone so you see here the four main steps of

business continuity planning straight from the official study guide you'll be expected to be familiar

with these steps so you want to memorize the steps know the goal of business continuity planning

as well which is the uh quick calm and efficient response in an

emergency to enhance a company's ability to recover from a disruptive event promptly and of course this goes hand in

hand with disaster recovery and and you'll see business impact analysis mentioned

in the official study guide but really really not a lot of detail around there

so focus on dr focus on uh some of the basics around business continuity planning you should be good to go there

so a few bcp definitions that are definitely worth knowing

for the exam so there's the uh the business continuity plans that's the overall organizational plan for how to

continue the business right there's the continuity of operations plan the plan for continuing to do

business until the i.t infrastructure can be restored there's the disaster recovery plan the

plan for how we recover from an i.t disaster and having that infrastructure back

in operation so continuing down this list business resumption plan the plan to move

from the disaster recovery site back to your business environment or back to normal operations

meantime between failures so a time determination for how long a piece of it

infrastructure will continue to work before it fails and then

the mean time to repair a time determination for how long it will take to get a piece of hardware software

repaired and back online and then finally max tolerable downtime

this is the amount of time we can be without an asset you know having it unavailable before we

have to declare disaster and initiate our disaster recovery plan so i i gave you the

kind of core dictionary definition of business continuity planning but let's talk through the core goals of disaster

recovery and bcp so minimizing the effects of a disaster

essentially by improving responsiveness of our employees in different situations easing confusion by providing written

procedures and participation in drills and helping folks make logical decisions

during a crisis so just the act of practice and documentation and repetition ensures

that folks are trained in what they need to do so there is less thinking

under extreme stress so it improves our organization's response because we've

we've documented it we understand our priorities we know what we're to do because we can simply look at the plan

and move forward in a variety of different situations there are

five types of disaster recovery plan tests you want to be familiar with and and you know i just mentioned repetition

and practice are important right so you have five five tests you'll want to be familiar with i'll call them out and

then we'll discuss them there's the read through test there's the structured walk-through

there's the simulation test the parallel test and the full interruption test so let's

talk through each of these briefly so the read-through test you you distribute copies of the disaster

recovery plans for review there's the structured walkthrough where the members of the disaster recovery

team get into a big conference room and they role play in a disaster scenario usually the exact

scenario is only known to the test moderator who presents the details to the team at the

meeting some folks will call this a tabletop exercise because we're around a big conference

table and we have the plans in our hands and we're talking through a scenario but the the moderator will know the

scenario the team members will refer to the document and discuss appropriate responses to that particular type of

disaster so this is a first step in ensuring that the plan

is uh appropriate and actionable and complete because we can answer you know

what is that appropriate step in a variety of circumstances now what do these two have in common well so far

uh everything we're talking about these are all talk right we're not we're not testing anything we are talking through

we're reviewing a plan talking through scenarios now we move into a simulation test

this is uh similar to a structured walkthrough that we just talked about except in this case

some of the response measures are then tested generally on non-business critical

functions and then there's a parallel test which involves relocating personnel

to the alternate recovery site and implementing site activation procedures the employees

relocated perform their disaster recovery responsibilities just as they would for an actual disaster and then

there is the full interruption test which is like parallel tests but it involves actually shutting down

operations at the primary site and shifting them to the recovery site so these are the five

types of plans and you will you will find that organizations generally speaking require that they

validate these plans in inaction at least annually some some more often i find folks that leverage

the cloud for their backup site are able to test these a little more aggressively sometimes twice a year

or even more but but these three uh recovery plan tests these all involve some form of doing right from from

something fairly non-invasive to you know that full interruption test which is

uh very thorough and and you're very complete so a couple of related terms there's a

recovery team which is used to get business critical functions running at the alternate site there's the salvage

team which is used to return the primary site to normal processing conditions so if you see any talk around recovery

versus restore the recovery team as the name indicates is responsible for recovery and then the

salvage team is your restore group and the official guide calls out some backup strategies you

should be familiar with particularly around databases they mention uh electronic vaulting so transferring

database backups to a remote site is part of a bulk transfer remote journaling which is

transmitting only the the journal of the transaction logs to the off-site facility a lot of your database

platforms will have a replication capability that can do do some of these there's remote mirroring where a live

database server is maintained at the backup site this is going to be the most advanced

database backup solution it tends to be the most expensive it's going to require some expertise in configuring the the

mirroring or replication that gets that live copy over there and i'm going to mention categories of

disruption i'm not sure you'll see this on the exam i know i spotted this in the uh the the common body of knowledge for

cissp at some point but i had this in my study notes so the three main categories of disruption you

have non-disaster which is a disruption in service from a device malfunction or a user error

a disaster where an entire facility is unusable for a day or longer a catastrophe which is a major

disruption that destroys the facility altogether and that requires a short-term

and a long-term solution i'm not sure you'll see these on the exam i wanted to throw these out

there just in case i think they're pretty easy to remember and that does it

for domain 7. and rounding out our core domains domain

8 software development security so we'll start with what's new in domain

8 and we do see some additions here in the syllabus in 8.2

identify and apply security controls and software development ecosystems so we see in their program languages

libraries tool sets integrated development environment runtime

code repositories uh continuous integration and continuous delivery often abbreviated as ci cd

uh security orchestration automation and response we covered soar uh back in in domain three because i

wanted to talk to you about soar with uh with sem at the same time because those two components are delivered together so

consider soar sore the sore box checked off and then software configuration

management so we need to talk about all of these new topics in an existing subdomain effectively

so code repositories this is where your source code and your related artifacts like your libraries

are stored so how do you handle source code securely is is the question you really want to be able

to answer don't commit sensitive information to your code repository we're not going to

store secrets on disk right we want to protect access to our source code repository so we need to have

role-based access control we need to have authentication and authorization in place

sign your work you know code code signing is a form of

you know integrity keep your development tools your ide your development environment up to date

so that might be visual studio visual studio code is the the most common ide today

maybe you're old school and you're using notepad plus plus whatever you're using to write your code your ide keep it up

to date most code repositories in the world today use git which is the most widely

used modern version control system was actually invented git was invented by

linus torvalds the inventor of linux um but but that's integrated development environment and that's all i'm going to

mention about it there so the main thing you need to know from a security perspective about your ide is keep it up

to date keep it patched uh code libraries which i mentioned a

moment ago for for some important core functions code libraries can actually improve application security and reduce

risk versus writing a function from scratch so for example certain languages can be prone

to certain kinds of attack so so c is as an example um

you know they use safe memory allocation and string manipulation libraries to reduce the risk of buffer overflow

attacks um other good uses for a lot good examples of

where a library could fit in and you know improve our security libraries that help us with encryption

or handling secrets or bulk data transfer you know utility functions that are very important

that somebody else has probably already written more effectively and completely than we could

so when we get to talking about code scanning i'll mention runtime so let's just talk about what runtime is exactly

so runtime describes the period of time during which a software program is actually running so this is where

dynamic application security testing evaluates the security of an application while it's it's actually running

assessing software security at runtime is is oftentimes the only option for purchase software because you don't have

access to the source code but but when you have access to the source code both source code and runtime

scanning doing both of these is a best practice you want to you want to scan your code and look for for

vulnerabilities poorly written code code that may be uh prone to buffer overflows for example

uh or or injection you know we see forms that that don't have proper input validation that means they may be

uh and you know prime for for injection attacks for containers when we're thinking about docker and

kubernetes uh you know scanning our container images at build time is important because many times in the in

the the container world your container is is built your container image is built on base images

that come from the open source world so you want to make sure there's no malware all the way down

uh through the layers of your uh your container image and you want to have a solution to scan

the runtime environment to make sure your containerized application is secure and

proper isolation is in place i don't think you need to know quite to that level of detail but

but what i wanted to impress upon you here is when it comes to code if you have access to the score the source code

you want scanning there you want to also scan uh runtime we'll talk about how that happens together and then for

containers i just wanted to mention similar reality we need to scan our images at

build time and at run time so so cicd you're going to hear this phrase a lot in the world of devops and

devsecops this is continuous integration and continuous delivery sometimes continuous integration and continuous

deployment the d may be expressed differently depending on who you're talking to all means the same thing

so securing our delivery pipeline ci cd is how we

deliver uh frequent uh and and effective application

releases you know multiple releases a day for example uh so to secure that pipeline that that release pipeline we

call it we need to implement identity and access management including mfa we need to make sure we're restricting who

can get into our pipeline to to see and edit that configuration so authentication and authorization we need

to store secrets securely and scan our code to make sure we don't have hard-coded secrets you don't want

hard-coded secrets in your code you don't want to store them on disk

implement role-based access control least privilege access into the environment so so you may have a small

number of people that have the ability to reconfigure your delivery pipeline and you have others that can come in and

maybe run your pipeline and others that can maybe only read the pipeline

um automating vulnerability scanning in your pipeline is an excellent idea and

most of your your platforms that provide cicd a platform for ci cd

many of these these platforms have some sort of automated vulnerability scanning capability either natively or through a

third party that you can plug into the pipeline to scan at the appropriate time so you can scan

your source code etc and release versioning will improve recoverability and and also tracking issues if you have

a well-established versioning system for your software i don't believe on an exam like the cissp you're going

to be tasked to to talk about effective versioning in detail

but just know that release versioning will improve recoverability because you'll you'll be able to track issues

against different versions of your software uh and this can help you

uh you know track current issues but also spot to spot uh regression bugs so bugs that you know resurface that you

know are maybe present in an earlier version and written out and somehow creep back

uh so let's talk about configuration management so so configuration management tracks the way

systems are set up both for for hardware and software and os and application settings

software configuration management is a phrase you might hear you might also hear it expressed as security

configuration management focus on the configuration management piece okay so baselining is an important

component of configuration management it's a set effectively a snapshot of an application or a system with an

application on it at a given point in time you should also create artifact

also create artifacts that might be used to help understand the system configuration this can be documentation

this can be a diagram and and within configuration management you have system level versioning

component level versioning to establish uh you know the the software uh hardware and configuration versions of a system

so you you know what you're running on today and you can

roll you know roll forward and roll back you know should you have uh problems in a release

so uh applications depend on compute resources and software components so so your configuration

management is going to uh to cross that boundary between hardware and software they both need

this capability and you need it in an integrated sense to to to basically track the configuration

across an entire system so on a web server for example you know i want to know you know what version of different

frameworks i'm running what version of uh of uh you know java what jvm am i running you know if i'm running the.net

framework what version is that what version of my web server do i have there the os the patch levels etc all of that

can be important uh because your software will have a certain dependency so let's

talk about code scanning so there's static application security testing so

this is analyzing computer software performed without actually executing

programs so the tester basically has access to the underlying framework the design the implementation

so the key characteristic of static application security testing is it

requires source code dynamic application security testing on the

other hand involves actually executing the application the tester doesn't

necessarily have any knowledge of the technologies or frameworks the application is built on

and no source code is required an important distinction it's often said that static testing tests the

application from the inside out and dynamic testing is considered outside in

testing and that does it for what's new in domain eight so i'd like to take a look

at the syllabus and talk about everything that's not new that i think is important for you to be prepared for

on the exam so an 8.1 understand and integrate security in the software development

life cycle 8.2 we just covered a lot of what's new here which was security controls in

development environments 8.3 is assessing the effectiveness of software security

8.4 assessing the security impact of acquired software and 8.5 defining and applying secure coding guidelines and

standards there's going to be a lot of process memorization for you in 8.5 so let's start

with relational database management systems rdbms is

the acronym you need to know the basic architecture of relational databases so relational databases contain tables

sometimes called relations these a table will contain a number of fields and each attribute corresponds to a column in the

table and and i'll talk you through these and then i'm going to show you an example

which will lock this in for you so rows are essentially data records so one row of data is a record so if it was

a database of employees i would be a record you would be a record that would be a row

and r and rows are sometimes called record sometimes called tuples typically you're going to hear tables and rows

when you're talking to people speaking in plain language but it's a record and then a column

uh is a set of data values of a particular type so a column in a in a record for example a first name

would be a column last name would be a column job title would be a column

these are sometimes called fields or attributes and

continuing down this row set with with databases i mentioned there's a table right so this is the table right here

that's the table so it consists of the the rows and the columns so there's a row

that shouldn't surprise you there and you'll notice that there's a a company id column there that's that's probably a

key a primary key we'll talk about keys in just a moment and then there's a column

so let's talk about keys in the context of relational databases so you have the concept of a candidate key so

a candidate key is composed of any set of attributes that can uniquely identify any record in a table so no two records

in the same table will ever contain the same value for all attributes that compose that key

so for example first name and last name in an employee database would be pretty good

until you have a second employee with the same name as the first person at the moment there are two john smiths that's

no longer a good key that's where another column like employee id could come in very handy to

uniquely identify any record in that table there can be one or more

candidate keys per table now the primary key is selected from the set of candidate keys there's only one of these

per table it's set by the designer so it's chosen at design time and then there are foreign keys i'll

need to show you just a quick example of this foreign keys are used to enforce

relationships between two tables in a relational database it enforces what's known as referential integrity so it

ensures that if one table contains a foreign key it corresponds to a still existing

primary key so what do i mean by that let's just have a look so i have here

uh the picture of an e-commerce application and

this application is one that allows customers to give gifts to one another so we can have customers giving gifts

but also receiving gifts so in the the customer table

on the left you'll see that we have a customer id

right that is the primary key of that table as noted by the pk and over in the gift table you'll notice

there are two foreign keys one of those is customer id the other is receiver id so there are two relationships between

this table there is the idea that a customer is the giver of the gift

and also the idea that a customer may be the receiver of the gift so there is a

primary key foreign key relationship there between customer id and then over in the gift

table either customer id or receiver id since that can go in either direction as giver or receiver so if i were to so

bottom line if i were to try to delete a customer id the

database of the relational database management system should stop me because there is

a relationship between these tables i shouldn't be able to delete that record that contains that primary

key that is referenced over in that other table where that foreign key relationship

exists so it enforces referential integrity

it's also going to prevent changes to the design of the database in a way that would break that referential integrity

so also we'll want to talk about common relational database management

threats the two called out in in the exam essentials are the aggregation attack and the inference

attack so let's take a look at each of these the aggregation attack is based on the

individual's ability to create sensitive information by combining non-sensitive data from separate sources so a common

example here is a records clerk in the military processing a transfer request for a specific sergeant for example so

sergeant smith's transfer request from base a to base b is not sensitive but if that records clerk has access to

transfer requests across all the bases if they can use their aggregate access in databases to establish say troop

numbers located at each base around the world those troop levels would comprise very sensitive information so need to

know and least privilege can prevent aggregation attacks and then we have the inference attack

which is based on the individual's ability to deduce or assume sensitive information from observing non-sensitive

pieces of information so for example let's say the accounting clerk in our company has access to

salary data but they don't understand which salary data maps to any individual employee now if that accounting clerk

can see the salary data from march and they know that only one person was hired in march and they then see

the salary data in april they could potentially deduce the salary of that single individual person hired during

that period of time so they are deducing that information so to prevent an inference attack

blurring data meaning providing only data that has been rounded to the nearest

level figure like a hundred thousand or a million can help with that database partitioning can help that sort of of

attack but the difference here is aggregation attacks are based more on math and inference attacks are based

more on human deduction so that's how i'd keep those two separate in your mind for the exam and a

few other attacks that affect rdbms systems that we've talked about previously include sql injection

time a check time of use back door and denial of service to name a few now you'll also be expected to be familiar

with the various types of storage and their relative cost and performance on the exam and by relative cost and

performance i mean less expensive more expensive faster slower volatile non-volatile etc so so not

actual numbers or costs just relative uh or comparative costs so there's primary memory which is your ram that's

available directly to the the cpu uh volatile ram and we'll talk about volatile and non-volatile in a moment

but this is directly available to a system cpu this is going to be the most high performance storage available and

operations happening in memory uh are generally speaking always faster than operations that involve writing

data out to a disk or storage of some sort so secondary storage can consist of of

less expensive non-volatile storage

available for for long-term use this would be any sort of tape disk hard drive magnetic or optical media cd dvd

there's virtual memory now this is interesting if you're not familiar with with virtual memory and operating

systems this allows a system to simulate additional primary memory resources through the use of secondary storage so

for example on a windows system you'll have a setting in the operating system that defines virtual memory by

default and if a system is low on on real memory on

ram it can make hard disk space available for direct cpu addressing so it creates a memory space

on disk so to speak so it can flush data out of real memory to the disk so it can then work in memory

how virtual memory works exactly is not super important but understand that virtual memory is when a system low on

ram makes a disk available for direct cpu addressing

moving on here virtual storage this allows a system to simulate

secondary storage through the use of primary storage so we said primary storage was ram right that was

the the fastest most high performance uh now if we're using if we're simulating secondary storage

through the use of primary storage we said secondary storage was your non your non-volatile media right

so what happens in this case is what we call a ram disk

is a great example so it provides a very fast file system for apps but no recovery capability because it's

simulating a disk it's it's simulating disk storage in memory

but it allows us to perform a a file system type operation very quickly it just doesn't have recovery capability

because it's sitting in volatile media it's sitting in ram

random access storage just allows the operating system to request the contents from any point within the media so ram

and hard drives are random access storage now sequential access storage on the other hand requires scanning through

the entire media from the beginning to reach a specific address a great example of

this is magnetic tape backup tapes perfect example of this old-school

uh magnetic storage i mentioned volatile and non-volatile so let's just sort that out right quick so

volatile storage loses its contents when power is removed from the resource ram that we talked about primary storage the

most common example when the system goes down the contents of ram are gone because it is volatile storage

which means that non-volatile storage by comparison uh does not depend upon the presence of

power to maintain its content so certainly magnetic optimal and optical media and

non-volatile ram uh would be a couple of of many examples now really any storage you can imagine

that uh doesn't lose its contents when it's not connected to power uh that's a good

example of non-volatile storage so machine learning and neural networks you you'll be expected to have some

fundamental knowledge here of of a few uh terms so let's start with expert systems so expert systems consists of

two main components there's a knowledge base that contains a series of if then type rules

and an inference engine that uses that information to draw conclusions about

other data but essentially you have the knowledge base that contains

you know vast numbers of records of information and then you have the inference engine that

evaluates that knowledge to draw conclusions the machine learning techniques that

attempt to algorithmically discover knowledge from data sets so using machine learning

algorithms and then neural networks so neural networks

simulate function of the human mind they also require extensive training on a

particular problem before they can offer solutions i think those will be the two most uh

distinct characteristics of a neural network so know these three for the exam

systems development we're really talking about software development here so there's agile which

uh places emphasis on the needs of a customer and quickly developing and iterating

uh in our solution so basically rapidly creating new iterations or new versions

of the uh the eventual uh software product so agile is designed

to be exactly that agile very responsive to customer needs now waterfall on the other hand describes a sequential

development process that results in development of a finished product so waterfall is

less less responsive i feel like agile and waterfall

represent sort of opposing strategies if you if you ask me to pick what's the opposite

of agile in terms of software development models i would pick waterfall and we'll we'll look at

waterfall agree in greater depth in just a moment and then there's spiral which uses

several iterations of the waterfall model to produce a number of fully specified prototypes so spiral really

addresses some of the problems that we see with with waterfall in fact let's just have a look at those

right now so we'll start with agile so agile's a model for software development that's based on four principles

individuals and interactions over processes and tools working software over comprehensive

documentation customer collaboration over contract negotiation

and responding to change over following a plan so the idea here is that we can produce a result

that is more effective it's it's closer to what the customer wants it gets us to the finish line faster

because we can pivot very quickly based on changes in requirements or changing changes in our understanding as we we

build the product and and go through new experiences for example user experience testing may tell us that

we need to pivot and and change the way we're building software and agile is intended to be very

responsive in that respect so know those four principles individuals and interactions over

processes and tool working software over documentation collaboration over over contracts and responding to change over

following the plan agile was actually first described in the manifesto for agile software

development that was released back in 2001 and i really started seeing agile back in

the the early 2000s 2007 and beyond all right the waterfall model is a seven

stage process that allows a return to the previous stage for corrections and to make sure that for the cissp exam

you look at the seven step waterfall model that is defined defined in the book you will find versions of waterfall

that out on the internet that tell you there are only six steps but you see it goes from system requirements to

software requirements to design to coding and debugging to testing

and operations and maintenance so so

the waterfall sort of visualized for you there but waterfall i mentioned also allows

a return to the previous phase from each phase so each phase can only go back one one phase

for correction so so it's by design less flexible less agile if you will than agile pun

intended and then there's the spiral model so the spiral model is a software development life cycle model that allows

for multiple iterations of a waterfall style process so it's known as a a meta model or a model of

models each loop of the spiral you see on the right there results in the development

of a new system prototype a new iteration if you will so it provides a solution to the major

criticism of the waterfall model it allows developers to return to the planning

stages as demands change so in a word it adds that for that

property of of iterative it makes it more flexible so it allows us to leverage you know a waterfall style

process in a more customer focused responsive

way and allows us to iterate quickly through our through our our product designs

so software development maturity models these help software organizations improve maturity and quality of their

software processes by implementing an evolutionary path from ad hoc development chaotic processes where

everybody is kind of on their own they're not really following any sort of organized process or plan

and moving to a state of more mature disciplined software processes so for

the cissp exam you will want to be familiar with the software capability maturity model the

sw-cmm and the ideal models so

software capability maturity model it's a five-step model for measuring software development organizations so level one

is no plan level two

is implementation of a repeatable process a basic life cycle management it's called

level three is defined where we have a documented software development process level four is managed this is where we

now have quantitative measures meaning we can reliably measure performance to gain a

detailed understanding of results and where improvements can be made and then optimized

a continuous development process with feedback loops this is the top of the mountain i like

to think of this in the world of devops i would call this continuous integration continuous deployment

continuous release it's sometimes called but cicd so so this is where we have a high level

of maturity and we can release software often and reliably

and then the ideal model is a model for development that implements

many of the the software capability maturity model so there's initiating where our business

reasons are outlined support and infrastructure for for the initiative are put in place we have diagnosing

where engine engineers analyze the current state of the organization and make recommendation we have establishing

where the organization takes those recommendations and they develop plans to achieve those changes

acting putting the plan into action and learning so the organization continuously analyzes their efforts

and proposes new actions to drive better results but notice that for each stage there

that's your acronym ideal initiating diagnosing establishing acting and learning i think that's probably all

the uh the the memory aids you need to uh to remember ideal

this was one of those that since it was based on uh based on an acronym i didn't actually

create a memory device to try to remember it i just remember the and it's a very logical process

right so let's talk about change in configuration management in the context

of software development so there's request control which require provides an organized framework so users can

request modifications and and managers can look at those ch those requests and basically perform a cost benefit

analysis they can prioritize these tasks prioritize the development backlog is the request

reasonable is it affordable is it something many other customers want for example

there's change control this is used by developers to uh to recreate the uh the situation encountered and to analyze the

changes to remedy the situation and then there's release control so once

the the changes are finalized they can be approved for release through the release control

procedure so it should also include acceptance testing to ensure that the alterations

are were actually understood they were developed as as intended as requested and they are functional so changes in

this case really mean code changes that result in functionality changes in the uh the software

next up is software testing so we have to test software thoroughly before we distribute that software

and the programming team generally speaking should develop special data sets that allow us to exercise all the

paths of of software navigation in an application to the fullest extent

uh that that's feasible and some tests may be automated and others may be manual so user experience testing for

example that's typically going to be a manual test where a real person performs tests according to a plan and

reports back their experience they perform a task they look at the actual result versus the expected result for

example and many other types of tests may be automated

for example if i want to to test to see if fields in a web form are susceptible to buffer overflow i basically need a

way to to replay you know input of a bunch of different values from from a special

data set to make sure that my application never throws an error that

it always responds as i expect so that's something i could likely automate unlike user experience testing

virus propagation techniques this is something that may come up on the exam and there are four

main propagation techniques you want to be familiar with the first is file infection which infects different

types of executable files and trigger when the operating system

attempts to execute them so on a windows system for example that's going to be dot exe and com files

generally speaking there's a service injection attack and service injection uh escapes detection

by injecting themselves into trusted runtime processes in the os so on windows for example that could be

servicehost.exe winlogon or explorer.exe boot sector infection which essentially just infects the legitimate boot sector

and it's loaded into memory during the operating system load process so when you boot the system up

or reboot the system and then there's macro infection which spread through code and macros like

visual basic for apps in microsoft office docs antivirus software so antivirus software

comes in in a couple of different flavors so uh many in years past use

signature-based detection algorithms to look for telltale patterns of known viruses and and many still use this it

is critical that signatures are updated frequently for example on the windows platform is the best example i know to

give you we'll see multiple updates daily now modern antivirus increasingly

operate using behavior-based detection too monitoring target systems for unusual activity and either blocking it

or flagging it even if it doesn't match a known malware signature and and modern anti-driver

modern anti-virus often relies on some ai driven or machine learning

driven intelligence and some modern antivirus software will have you know a cloud connection where it can

send off samples to to get some input from a cloud-based system

that can perform some additional analysis and given that in the modern age you know many uh threats are seen

once and never again they're unique behavior-based detection is an absolute requirement so the the the study guide

mentions that it's increasingly common everybody's doing this i'll just tell you right now

so techniques to compromise password security you want to be familiar with

all of these so we have password crackers which are designed to basically take credential data stolen in a breach

and extract passwords from it and the methods password crackers will use will vary widely

dictionary attacks these use a large dictionary file with thousands of words and it basically runs an encryption

function against all the words to obtain their encrypted their hashed equivalents um but it's using existing words where

whereas a brute force attack is when the attacker tries to attempt all possible combinations of a password

to gain access to an account so so actually a dictionary attack is a type of brute force attack where the attacker

instead of trying to try all possible combinations they try passwords from a dictionary file

social engineering attacks these consist of simply calling the user and asking for their

password or more often posing as a technical support representative or other authority figure who needs

information immediately you even see these carried out over the phone where someone

will call and say that they are from microsoft support and they need your password or they're from apple

support and you need to give them a password and you need to pay them some amount of money to help

you these are attacks that sometimes feel very

realistic i do remember once i was actually traveling internationally and i was on my way back home and someone

called me while i was in an airport lounge and said hey i'm on the phone with apple support they're asking me to

buy these gift cards to to pay them for support because

there's there's a breach on my ipad completely social engineering attack you

know the that that sort of demand is never going to come from microsoft or apple or any legitimate company and i

was thankfully for them able to to advise them and to stop that

so social engineering is as powerful a way to stop social engineering is through security awareness training

number one countermeasure root kit rootkit is a piece of software freely

available on the internet it's used as a second step by attackers to exploit known vulnerabilities

to enable attackers to elevate or escalate their privilege to gain greater privilege on the system

once they have established residence so let's touch on

application attacks which are used by attackers to go after poorly written software to

exploit poorly written software the most common you'll likely hear about is the buffer overflow where a developer

does not validate user input to ensure that it's of an appropriate size this is really common in web forms

and if the form doesn't validate the input the user can potentially input data that

is too large and it can overflow the memory buffer causing an error a buffer

overflow air there's a back door this is an undocumented command sequence or

sequences that allow individuals with knowledge of the back door to bypass normal access restrictions often used

during development and debugging and in

the worst cases you know unintentionally or even intentionally left there after development and debugging

there's time a check to time of use attacks which is a timing vulnerability that

occurs when a program checks access permissions too far in advance of a resource request

so it's a timing issue and rootkit which is escalation of privilege so rootkits are freely

available on the internet and they're intended to exploit known vulnerabilities in various

operating systems enabling attackers to elevate privilege so you'd see this in an escalation of

privilege attack scenario

web application vulnerabilities there are two very common

web app vulnerabilities you want to be aware of and and you'll find that there are vulnerabilities that compromise

front-end and front-end you know web interfaces or web systems and back-end databases and sometimes they're using

the front-end to compromise or access the back end so there is the cross-site scripting

which is a type of injection attack in which malicious scripts are injected into and or otherwise benign and trusted

websites so these occur when an attacker uses a web application to send malicious code

to a different end user they occur when web apps contain reflected input you know for

example i put my name into a field on a form i hit submit and it says hello pete sql injection attack so these use

unexpected input into a web application into a front end to gain unauthorized access to an underlying database

there are quite a few different ways i've seen sql injection attacks play out i saw one of these in real time

a few years ago where a pen tester was able to put unexpected input into a web form

and it caused the database because it caused the the code to return information from the database you'd

never want exposed next up are reconnaissance techniques so these are

techniques used by attackers who are preparing to attack a network so this is data collection and learning ahead of

the attack so iprobes automated tools basically pinging each ip address in a range so performing a ping sweep and

then systems that respond to the ping request are basically logged for further analysis

in the next step so then you'll commonly see a port scan which will look for

open or listening ports on a system so for example port 80 and 443 would be indicative of a web server port 445

tcp 445 would be a file server so looking for server supporting critical operations are going and services are

going to be prime targets and then you have vulnerability scanners that can be used to scan for specific

vulnerabilities in a system so a few popular tools out there include nessus openvas qualis core impact quite a few

vulnerability scanners on the market today i don't think you'll be

you know tested on your knowledge of vulnerability scanner brands but i wanted to throw a few out there which

incidentally are also mentioned in the book i believe in the the official study guide by the by

so protection rings may come up these are used to protect data and functionality from fault you'll

hear about these in operating system so for example ring zero is is kernel mode ring one and two would be device drivers

ring three or applications and then within the system there are special

call gates between the rings that are defined to allow the outer rings to to gain access to the inner rings through

pre-defined mechanisms rather than just arbitrary access the software development life cycle you

want to be familiar with the five phases of the software development life

cycle so phase one requirements analysis phase two design phase three implementation phase four testing and

phase five evolution i have for you here a memory device to help you

lock these five phases in to your mind real developers

ideas take effort so i came up with this memory device

because i wanted something that was relevant to the subject at hand which is software development but also

uh followed the first letter of each of the phases of the software development life cycle so requirements

design implementation testing and evolution real developers ideas take effort if you want a memory device

there you have it concentric circle security

so you if you've spent any time in cyber security you were familiar with concentric circle security although

you've probably never heard it referred to as concentric circle security that is a

very theoretical phrase that that doesn't come up in the real world very often so

this security model consists of several mutually independent security applications processes or

services that operate toward a single common goal so it avoids a monolithic

security stance by having multiple independent applications tools and processes working

together to provide better security so basically every individual security mechanism has a flaw

or a work around and we have to bear that in mind and by combining uh intelligent combinations of of

counter measures into what we call a layered defense we can

provide significant resistance to persistent attempts to compromise

our network this is called a layered defense you'll also hear this referred to as

defense in depth so you want to be familiar with concentric circle security but tie this

to layered defense defense and depth and avoiding a monolithic security stance

and finally uh the security impact of acquired software so four categories here there's operating system attack so

attackers are always looking for vulnerabilities in an operating system uh buffer overflows other bugs

uh systems that simply haven't been patched in a long period of time or patch for specific vulnerabilities

their application level attacks we've talked about a few of these uh sql injection cross-site scripting denial of

service hijacking phishing which is an email-based

uh application level attack uh their shrink wrap code attack so these are exploiting holes in unpatched

or poorly configured software you buy and install a lot of times software you buy and install

will uh you know contain sample scripts or code and those will be exploited if if an

attacker can find them then finally misconfiguration attacks which target poorly configured

services or devices or one that's left in a default configuration a wi-fi router left in the default settings is a

fabulous example i can remember back in the day you know netgear

routers came with a very simple admin username and password and it was really common that folks would buy that netgear

router take it home and not change a thing in a business environment when we see

those defaults left in place that usually indicates a process problem at home that's a much different story

and that's it for domain8 and congratulations you've reached the end of this cissp exam gram course i hope

you got value out of this video i hope you're getting value out of the series if you have questions at any point leave

me a comment below the video come find me on linkedin and let's have a chat

i wish you the best of luck on your exam and until next time take care and stay safe

Comprehensive CISSP 2022 Exam Cram: Domains, Strategies & Updates

Comprehensive CISSP 2022 Exam Cram: Domains, Strategies & Updates

Introduction to CISSP 2022 Exam Cram Series

Exam Preparation Strategy

Thinking Like a Manager

CISSP Exam Format and Updates

Domain 1: Security and Risk Management

Domain 2: Asset Security

Domain 3: Security Architecture and Engineering

Domain 4: Communication and Network Security

Domain 5: Identity and Access Management

Domain 6: Security Assessment and Testing

Domain 7: Security Operations

Domain 8: Software Development Security

Conclusion

What are the key topics covered in the CISSP 2022 Exam Cram?

How should I prepare for the CISSP exam effectively?

What is the format of the CISSP exam and how has it changed?

What are the main risk management frameworks discussed in the CISSP content?

What are some effective strategies for incident response as outlined in the CISSP material?

How does the CISSP content address emerging technologies in security?

What are the recommended study techniques for mastering CISSP concepts?

Related Summaries

Mastering General Security Concepts for Security Plus Exam 2024

Comprehensive Overview of Incident Response and Handling in CCNA Cyber Ops

Exam Prediction Video Summary: Key Topics and Questions

Unlock Your Hacking Potential: A Comprehensive Guide to Security CTFs

Understanding Cyber Resilience: Key Strategies for Businesses

Most Viewed Summaries

A Comprehensive Guide to Using Stable Diffusion Forge UI

Mastering Inpainting with Stable Diffusion: Fix Mistakes and Enhance Your Images

How to Use ChatGPT to Summarize YouTube Videos Efficiently

Pag-unawa sa Denotasyon at Konotasyon sa Filipino 4

Ultimate Guide to Installing Forge UI and Flowing with Flux Models

Start Taking Better Notes Today