CISSP – Defense in Depth

  • Defense in Depth – Also called Layered Defense or Onion Defense.
    • We implement multiple overlapping security controls to protect an asset.
    • This applies both to physical and logical controls.
    • To get to a server you may have to go through multiple locked doors, security guards, man traps.
    • To get to data you may need to get past firewalls, routers, switches, the server, and the applications security.
    • Each step may have multiple security controls.
    • No single security control secures an asset.
    • By implementing Defense in Depth you improve your organizations Confidentiality, Integrity and Availability.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – Liability, due diligence and negligence.

  • Liability:
    • If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
  • Due Diligence and Due Care:
    • Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
    • Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
    • Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
  • Negligence (and Gross Negligence) is the opposite of Due Care.
    • If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
    • If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – Need to know, least privilege and objects/subjects.

  • Least Privilege and Need to know.
    • Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less.
    • Need to know – Even if you have access, if you do not need to know, then you should not access the data.
  • Non-repudiation.
    • A user can not deny having performed a certain action. This uses both Authentication and Integrity.
  • Subject and Object.
    • Subject – (Active) Most often users, but can also be programs – Subject manipulates Object.
    • Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
    • Some can be both at different times, an active program is a subject; when closed, the data in program can be object.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – IAAA (Identification and Authentication, Authorization and Accountability)

  • Identification:
    • Your name, username, ID number, employee number, SSN etc.
    • “I am Thor”.
  • Authentication:
    • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
    • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
  • Accountability (also often referred to as Auditing)
    • Trace an Action to a Subjects Identity:
    • Prove who/what a given action was performed by (non-repudiation).

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – the CIA Triad and its opposites.

Confidentiality, Integrity and Availability

  • Finding the right mix of Confidentiality, Integrity and Availability is a balancing act.
  • This is really the corner stone of IT Security – finding the RIGHT mix for your organization.
    • Too much Confidentiality and the Availability can suffer.
    • Too much Integrity and the Availability can suffer.
    • Too much Availability and both the Confidentiality and Integrity can suffer.
  • The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
    • Disclosure – Someone not authorized gets access to your information.
    • Alteration – Your data has been changed.
    • Destruction – Your Data or Systems has been Destroyed or rendered inaccessible.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – the CIA Triad – Availability!

We want to keep our System and Data available.

  • We use:
    • IPS/IDS.
    • Patch Management.
    • Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more.
    • SLA’s – How high uptime to we want (99,9%?) – (ROI)
  • Threats:
    • Malicious attacks (DDOS, Physical, System compromise, Staff).
    • Application failures (errors in the code).
    • Component failure (Hardware).

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – the CIA Triad – Integrity!

  • We want system and Data integrity
    • We use:
      • Cryptography (again).
      • Check sums (This could be CRC).
      • Message Digests also known as a hash (This could be MD5, SHA1 or SHA2).
      • Digital Signatures – non-repudiation.
      • Access control.
    • Threats:
      • Alterations of our data.
      • Code injections.
      • Attacks on your encryption (cryptanalysis).

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – the CIA Triad – Confidentiality!

We want to keep our information confidential. 

  • We use:
    • Encryption for data at rest (for instance AES256), full disk encryption.
    • Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
    • Good best practices for data in use – clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).
    • Strong passwords, multi factor authentication, masking, Access Control, Need-to-Know, Least Privilege.
  • Threats:
    • Attacks on your encryption (cryptanalysis).
    • Social engineering.
    • Key loggers (software/hardware), cameras, Steganography.
    • IOT (Internet Of Things) – The growing number of connected devices we have pose a new threat, they can be a backdoor to other systems.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – the CIA Triad!

  • The CIA Triad (AIC)
    • Confidentiality
      • This is what most people think IT Security is.
      • We keep our data secure and our secrets secret.
      • We ensure no one unauthorized can access the data.
    • Integrity
      • How do we protect against modifications of the data and the systems.
      • We ensure the data has not been altered.
    • Availability
        • How do we ensure the data is available when users need to access it.
        • We ensure authorized people can access the data they need, when they need to.

       

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP – Upcoming in-person classes at Honolulu Community College.

Upcoming in-person classes at Honolulu Community College 8/22-9/21:

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading