CISSP certification: MAC (Mandatory Access Control)

MAC (Mandatory Access Control): Often used when Confidentiality is most important.

Almost always used in the military or in organizations where confidentiality is very important, rarely used in the private sector (unless in defense contracting).

  • Access to an object is determined by labels and clearance
  • Labels: Objects have Labels assigned to them, the subjects clearance must dominate the objects label.
    • The label is used to allow Subjects with the right clearance access them.
    • Labels are often more granular than just “Top Secret”, they can be “Top Secret – Nuclear”.
  • Clearance: Subjects have Clearance assigned to them.
    • Based on a formal decision on a subjects current and future trustworthiness.

The higher the clearance the more in depth the background checks should be.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: RBAC (Role based access control).

RBAC (Role Based Access Control): Often used when data integrity is most important.
Most large organizations use role based access control, your access levels are determined by your job role.

  • Policy neutral access control mechanism defined around roles and privileges.
  • A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.
  • It makes administration of 1,000’s of users and 10,000’s of permissions much easier to manage.
  • The most commonly used form of access control.
  • If implemented right it can also enforce separation of duties and prevent authorization/privilege creep .
  • We move employees transferring within the organization from one role to another and we do not just add the new role to the old one.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Just launched 4 full 250 question CISSP certification practice exams.

I just published 4 full 250 question CISSP certification practice exams, no repeating questions. 
For the launch they are marked down from $75 to $10!
Take the practice test, find your weak areas, study those and then take it again, rinse/repeat as much as needed.
The questions and answers are randomized each time so it will feel like a new exam if you take it multiple times.

CISSP certification: Full 250 question practice test #1 2017
Regular price $75
Special sales price $10

CISSP certification: Full 250 question practice test #2 2017
Regular price $75
Special sales price $10

CISSP certification: Full 250 question practice test #3 2017
Regular price $75
Special sales price $10

CISSP certification: Full 250 question practice test #4 2017
Regular price $75
Special sales price $10

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Subject and object.

In access control, we use the terms subjects and objects. Knowing the difference and what both can do is important for the exam.

Subject – (Active) Most often users, but can also be programs – Subjects manipulate object.

Object – (Passive) Any passive data (both physical paper and data) – Objects are manipulated by subject.

It is possible to be both at different times, an active program is a subject; when closed, the data in program can be object.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Risk Analysis terms.

Qualitative vs. Quantitative Risk Analysis.

  • For any Risk analysis we need to identify our assets. What are we protecting?
    • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
      • Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, … )
      • Vulnerability – A weakness that can allow the Threat to do harm. Having a Data Center in the Tsunami flood area, not Earthquake resistant, not applying patches and anti virus, …
      • Risk = Threat x Vulnerability.
      • Impact – Can at times be added to give a more full picture. Risk = Threat x Vulnerability x Impact (How bad is it?).
      • Total Risk = Threat x Vulnerability x Asset Value.
      • Residual Risk = Total Risk – Countermeasures.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

IT Security – from Forbes “7 Cybersecurity Questions Every Leader Should Ask”

7 Cybersecurity Questions Every Leader Should Ask

Theresa Payton, former CIO for the White House and current CEO of Fortalice Solutions, a cybersecurity and intelligence consulting firm, identifies the seven cybersecurity questions every business leader should ask.

Source: www.forbes.com/sites/kimberlywhitler/2017/09/16/7-cybersecurity-questions-every-leader-should-ask/

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP Friday-Five Questions September 8th 2017.

What is WORM media?

WORM Media (Write Once Read Many): CD/DVDs can be WORM Media (R), if they are not R/W (Read/Write).

In IaaS who is responsible for the databases?

IaaS - (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.

Logic bombs will go off when:

Logic Bombs - Malicious code that executes at a certain time or event - they are dormant until the event (IF/THEN). IF Bob is not getting an annual bonus over $10,000, THEN execute malicious code. IF date and time 5/15/18 00:02:12, THEN execute malicious code.

What is polyinstantiation?

Polyinstantiation  (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.

Cryptanalysis is where we:

Cryptanalysis is the science of breaking encrypted communication. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. It uses mathematical analysis of the cryptographic algorithm, as well as side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation and the devices that run them.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP & IT security: Equifax data breach with close to 60% of all US adult compromised (143 million).

Equifax Inc. (NYSE: EFX) announced on 9/7 a cybersecurity incident potentially impacting 143 million U.S. residents.

 

The attackers exploited a website application vulnerability and gained access to certain files.

Based on Equifax’s investigation, the attackers had access from mid-May through the end July 2017.

 

 

 

The criminals gained access to peoples names, addresses, birth days, social security numbers and in some cases drivers license numbers.
Other than the obvious questions on how this could happen and how to protect your identity online if you were exposed, it also raises some other questions.

#1: Equifax offers credit monitoring (one of their key services) to anyone effected by the breach, but only for 1 year.
You will be vulnerable a lot longer than that from the breach. Is this just a smart up-sell?
You also waive your rights to sue Equifax if you get the protection, unless you write them within 30 days letting them know you want to opt out of the “no sue” clause.

#2: After the breach the Equifax Chairman and CEO, Richard F. Smith, said “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
This is almost as hamfisted as the BP CEO explaining how he had to cut his vacation short and no one was as effected by the gulf oil spill as he was.
Equifax lost 58% of the adult US populations names, addresses, birthdays and social security numbers and you think you are a leader of protecting data?!?

#3: The breach was detected in July, in August Equifax bought the “sign up here if you were compromised” website (https://www.equifaxsecurity2017.com) and in September they told the press.
Why did it take that long to tell anyone about the breach?
From the discovery to the disclosure, the attackers could have have made 100,000s of fake credit cards and bank accounts, they can have ruined many lives because Equifax waited almost 6 weeks to disclose the breach.

#43 Senior Executives sold close to 1.8 million USD in Equifax stock (these were non-planned sales) just days before the public was told about the breach, but over 5 weeks after Equifax knew about the breach.

Supposedly they did not know about the breach, I just really doubt the CFO wakes up one morning and decides to sell $1,000,000 of stock that wasn’t planned and then a few days later “Oh by the way we were breached 6 weeks ago”.
Chief Financial Officer John Gamble sold stock for $946,374.
U.S. Information Solutions President Joseph Loughran sold stock for $584,099.
Consumer Information Solutions President Rodolfo Ploder sold stock for $250,458.
How can or will anyone ever trust Equifax with their data?

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading

CISSP certification: Quantitative Risk Analysis.

  • Quantitative Risk Analysis – We want exactly enough security for our needs.
    • We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
    • Asset Value (AV) – How much is the asset worth?
    • Exposure factor (EF) – Percentage of Asset Value lost?
    • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
    • Annual Rate of Occurrence (ARO) – How often will this happen each year?
    • Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
    • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)
  • Laptop – Theft/Loss (unencrypted).
    • The Laptop ($1,000) + PII ($9,000) per loss (AV).
    • It is a 100% loss, it is gone (EF)
    • Loss per laptop is $10,000 (AV) x 100% EF) = (SLE)
    • The organization loses 25 Laptops Per Year (ARO)
    • The annualized loss is $250,000 (ALE)
  • Data Center – Flooding
    • The Data Center is valued at $10,000,000 (AV)
    • If a flooding happens 15% of the DC is compromised (EF)
    • Loss per Flooding is $10,000,000 (AV) x 15% EF) = (SLE)
    • The flooding happens every 4 years = 0.25 (ARO)
    • The annualized loss is $375,000 (ALE)

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

Continue Reading