CISSP certification: Qualitative Risk Analysis.

  • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Qualitative Risk Analysis with the Risk Analysis Matrix.
      • Pick an asset: A laptop.
      • How likely is one to get stolen or left somewhere?
        I would think Possible or Likely.
      • How bad is it if it happens?
        That really depends on a couple of things:
      • Is it encrypted?
      • Does it contain Classified or PII/PHI content?
      • Let’s say it is Likely and a Minor issue, that puts the loss the High Risk category.
      • It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.
Continue Reading

CISSP certification: Access Control Defensive Categories and Types:

Access Control Defensive Categories and Types:

  • Access Control Types (Many can be multiple types – On the exam look at question content to see which type it is).
    • Preventative:
      • Prevents action from happening – Least Privilege, Drug Tests, IPSs, Firewalls, Encryption.
    • Detective:
      • Controls that detect during or after an attack – IDSs, CCTVs, Alarms, anti-virus.
    • Corrective:
      • Controls that Correct an attack – Anti-virus, Patches, IPSs.
    • Recovery:
      • Controls that help us Recover after an attack – DR Environments, Backups, HA Environments .
    • Deterrent:
      • Controls that Deter an attack – Fences, Security Guards, Dogs, Lights, Beware of the dog signs.
    • Compensating: 
      • Controls that Compensate – other controls that are impossible or too costly to implement.
Continue Reading

CISSP certification: ISC² Code of Ethics.

Before you can take the exam you will agree to the ISC² Code of Ethics, they are also very testable on the certification. Learn them.

  • ISC² Code of Ethics
    • You agree to this before the exam, and the code of ethics is very testable.
    • There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.
    • Code of Ethics Preamble:
      • The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
      • Therefore, strict adherence to this Code is a condition of certification.
    • Code of Ethics Canons:
      • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
      • Act honorably, honestly, justly, responsibly, and legally.
      • Provide diligent and competent service to principles.
      • Advance and protect the profession.
Continue Reading

CISSP Friday-Five Questions September 1st 2017.

A DDOS attack is meant to disrupt which leg of the CIA Triad?

When we get his by a DDOS (Distributed Denial Of Service), is disrupts our availability, but not integrity or confidentiality.

In the US security breach notification laws are:

Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.

What is not an example of good multifactor authentication?

Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.

Which type of access control models are based on subjects clearance?

MAC - (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels.

Which is an asymmetric form of encryption?

RSA is asymmetric. 3DES, RC6 and Twofish are all symmetric forms of encryption.

Continue Reading

CISSP Friday-Five Questions: Identity and access management.

In a good password policy, which should be allowed?

Passwords should never contain: The name of a pet, child, family member, significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password". Winter2017 is not a good password, even if it does fulfil the password requirements. The official recommendations by the U.S. Department of Defense and Microsoft. Password history = set to remember 24 passwords. Maximum password age = 90 days. Minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.

Type 1 authentication is:

Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are.

Which authentication form is the worst to have compromised, because it can't be changed?

Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones, biometrics can’t. You can't change your fingerprints, once compromised they are always compromised.

PINs, passwords and passphrases are which type of authentication?

Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are.

Which authentication protocol is no longer considered secure?

TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.

Continue Reading

CISSP Friday-Five Questions: Well-known ports.

On which port does POP3 normally use?

A POP3 server listens on well-known port 110.

Your organization is using a secure website using https://, which port is used by default?

HTTPS URLs begin with "https://" and use port 443 by default, or alternatively 8443, whereas HTTP URLs begin with "http://" and use port 80 by default.

To upload files using FTP which ports would be the common ports?

FTP uses TCP port 20 for FTP data transfer and TCP port 21 for FTP control.

Which well-known ports does email programs use POP3, IMAP, and SMTP

SMTP (Simple Mail Transfer Protocol) uses TCP port 25 as default, but can also use port 2525. POP3 (Post Office Protocol, version 3) uses TCP port 110. IMAP (Internet Message Access Protocol) uses TCP port 143.

Using SSH we log into our cloud servers, which port is assigned to SSH?

The well-known TCP port 22 has been assigned for contacting SSH servers.


Continue Reading

CISSP – Defense in Depth

  • Defense in Depth – Also called Layered Defense or Onion Defense.
    • We implement multiple overlapping security controls to protect an asset.
    • This applies both to physical and logical controls.
    • To get to a server you may have to go through multiple locked doors, security guards, man traps.
    • To get to data you may need to get past firewalls, routers, switches, the server, and the applications security.
    • Each step may have multiple security controls.
    • No single security control secures an asset.
    • By implementing Defense in Depth you improve your organizations Confidentiality, Integrity and Availability.

Continue Reading

CISSP – Liability, due diligence and negligence.

  • Liability:
    • If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
  • Due Diligence and Due Care:
    • Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
    • Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
    • Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
  • Negligence (and Gross Negligence) is the opposite of Due Care.
    • If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
    • If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.
Continue Reading

CISSP – Need to know, least privilege and objects/subjects.

  • Least Privilege and Need to know.
    • Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less.
    • Need to know – Even if you have access, if you do not need to know, then you should not access the data.
  • Non-repudiation.
    • A user can not deny having performed a certain action. This uses both Authentication and Integrity.
  • Subject and Object.
    • Subject – (Active) Most often users, but can also be programs – Subject manipulates Object.
    • Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
    • Some can be both at different times, an active program is a subject; when closed, the data in program can be object.
Continue Reading

CISSP – IAAA (Identification and Authentication, Authorization and Accountability)

  • Identification:
    • Your name, username, ID number, employee number, SSN etc.
    • “I am Thor”.
  • Authentication:
    • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
    • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
  • Accountability (also often referred to as Auditing)
    • Trace an Action to a Subjects Identity:
    • Prove who/what a given action was performed by (non-repudiation).

Continue Reading