CISSP certification: Subject and object.

In access control, we use the terms subjects and objects. Knowing the difference and what both can do is important for the exam.

Subject – (Active) Most often users, but can also be programs – Subjects manipulate object.

Object – (Passive) Any passive data (both physical paper and data) – Objects are manipulated by subject.

It is possible to be both at different times, an active program is a subject; when closed, the data in program can be object.

Continue Reading

CISSP certification: Risk Analysis terms.

Qualitative vs. Quantitative Risk Analysis.

  • For any Risk analysis we need to identify our assets. What are we protecting?
    • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
      • Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, … )
      • Vulnerability – A weakness that can allow the Threat to do harm. Having a Data Center in the Tsunami flood area, not Earthquake resistant, not applying patches and anti virus, …
      • Risk = Threat x Vulnerability.
      • Impact – Can at times be added to give a more full picture. Risk = Threat x Vulnerability x Impact (How bad is it?).
      • Total Risk = Threat x Vulnerability x Asset Value.
      • Residual Risk = Total Risk – Countermeasures.
Continue Reading

IT Security – from Forbes “7 Cybersecurity Questions Every Leader Should Ask”

7 Cybersecurity Questions Every Leader Should Ask

Theresa Payton, former CIO for the White House and current CEO of Fortalice Solutions, a cybersecurity and intelligence consulting firm, identifies the seven cybersecurity questions every business leader should ask.


Continue Reading

CISSP Friday-Five Questions September 8th 2017.

What is WORM media?

WORM Media (Write Once Read Many): CD/DVDs can be WORM Media (R), if they are not R/W (Read/Write).

In IaaS who is responsible for the databases?

IaaS - (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.

Logic bombs will go off when:

Logic Bombs - Malicious code that executes at a certain time or event - they are dormant until the event (IF/THEN). IF Bob is not getting an annual bonus over $10,000, THEN execute malicious code. IF date and time 5/15/18 00:02:12, THEN execute malicious code.

What is polyinstantiation?

Polyinstantiation  (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.

Cryptanalysis is where we:

Cryptanalysis is the science of breaking encrypted communication. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. It uses mathematical analysis of the cryptographic algorithm, as well as side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation and the devices that run them.

Continue Reading

CISSP & IT security: Equifax data breach with close to 60% of all US adult compromised (143 million).

Equifax Inc. (NYSE: EFX) announced on 9/7 a cybersecurity incident potentially impacting 143 million U.S. residents.


The attackers exploited a website application vulnerability and gained access to certain files.

Based on Equifax’s investigation, the attackers had access from mid-May through the end July 2017.




The criminals gained access to peoples names, addresses, birth days, social security numbers and in some cases drivers license numbers.
Other than the obvious questions on how this could happen and how to protect your identity online if you were exposed, it also raises some other questions.

#1: Equifax offers credit monitoring (one of their key services) to anyone effected by the breach, but only for 1 year.
You will be vulnerable a lot longer than that from the breach. Is this just a smart up-sell?
You also waive your rights to sue Equifax if you get the protection, unless you write them within 30 days letting them know you want to opt out of the “no sue” clause.

#2: After the breach the Equifax Chairman and CEO, Richard F. Smith, said “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
This is almost as hamfisted as the BP CEO explaining how he had to cut his vacation short and no one was as effected by the gulf oil spill as he was.
Equifax lost 58% of the adult US populations names, addresses, birthdays and social security numbers and you think you are a leader of protecting data?!?

#3: The breach was detected in July, in August Equifax bought the “sign up here if you were compromised” website ( and in September they told the press.
Why did it take that long to tell anyone about the breach?
From the discovery to the disclosure, the attackers could have have made 100,000s of fake credit cards and bank accounts, they can have ruined many lives because Equifax waited almost 6 weeks to disclose the breach.

#43 Senior Executives sold close to 1.8 million USD in Equifax stock (these were non-planned sales) just days before the public was told about the breach, but over 5 weeks after Equifax knew about the breach.

Supposedly they did not know about the breach, I just really doubt the CFO wakes up one morning and decides to sell $1,000,000 of stock that wasn’t planned and then a few days later “Oh by the way we were breached 6 weeks ago”.
Chief Financial Officer John Gamble sold stock for $946,374.
U.S. Information Solutions President Joseph Loughran sold stock for $584,099.
Consumer Information Solutions President Rodolfo Ploder sold stock for $250,458.
How can or will anyone ever trust Equifax with their data?

Continue Reading

CISSP certification: Quantitative Risk Analysis.

  • Quantitative Risk Analysis – We want exactly enough security for our needs.
    • We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
    • Asset Value (AV) – How much is the asset worth?
    • Exposure factor (EF) – Percentage of Asset Value lost?
    • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
    • Annual Rate of Occurrence (ARO) – How often will this happen each year?
    • Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
    • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)
  • Laptop – Theft/Loss (unencrypted).
    • The Laptop ($1,000) + PII ($9,000) per loss (AV).
    • It is a 100% loss, it is gone (EF)
    • Loss per laptop is $10,000 (AV) x 100% EF) = (SLE)
    • The organization loses 25 Laptops Per Year (ARO)
    • The annualized loss is $250,000 (ALE)
  • Data Center – Flooding
    • The Data Center is valued at $10,000,000 (AV)
    • If a flooding happens 15% of the DC is compromised (EF)
    • Loss per Flooding is $10,000,000 (AV) x 15% EF) = (SLE)
    • The flooding happens every 4 years = 0.25 (ARO)
    • The annualized loss is $375,000 (ALE)
Continue Reading

CISSP certification: Book recommendations.

When choosing the books you use for your CISSP certification I think it is important to understand your own skill level and how much knowledge you would need to both pass the certification, but ultimately do your job well as an IT security professional.

The first 2 books I would recommend for people with some IT security experience I would suggest these 2 books, they are missing all the fluff the full guides have, this is exactly what you need for the CISSP certification and no more.

CISSP Study Guide, Third Edition(Paperback)
by Eric Conrad, Seth Misenar, Joshua Feldman

Eleventh Hour CISSP®, Third Edition: Study Guide (Paperback)
by Eric Conrad, Seth Misenar, Joshua Feldman

For people with some limited or no IT security experience I would suggest either or both of these books, on top of the CISSP knowledge they also have more full and in depth general IT security knowledge.

CISSP All-in-One Exam Guide, Seventh Edition (Hardcover)
by Shon Harris, Fernando Maymi

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Paperback)
by James M. Stewart, Mike Chapple, Darril 

Continue Reading

CISSP certification: Free full CISSP practice exam on – until 9/13-17

I just made one of my CISSP full 250 question practice exams completely free for a few days!

This is a full CISSP practice exam, it has 250 questions just like the exam and the domains are weighted at the same percentage as well.

The exam has 8 Domains make up the CISSP CBK (Common Body of Knowledge):
Security and Risk Management – 16%
Asset Security – 10%
Security Engineering – 12%
Communications and Network Security – 12%
Identity and Access Management – 13%
Security Assessment and Testing – 11%
Security Operations – 16%
Software Development Security – 10%

At the end of the practice exam you can see the total % score and a weighted % score for each of the 8 domains as well as you can review each question and sort by knowledge area, correct answers, wrong answers, skipped questions and questions marked for review.

To pass the exam you need the knowledge to pass (obviously), but that is not enough.

Understand and answer every question from a Manager or a Risk Advisors point of view, NOT C-level or as a techie.

Spot the keywords (non-repudiation, public key,) and the indicators (Not, Most, First).

It is a LONG exam, you have 6 hours to answer 250 questions and I suggest multiple passes.

Mark for review and revisit the questions you are not sure about, but make sure to check an answer, even if you have no clue 25% chance is better than 0%.

Eliminate wrong answers: If they ask about encryption and the answer are DES, AES, Sprinkler systems, the OSI model, you can safely eliminate Sprinkler and OSI, you are now at a 50% chance of a right answer.

Do some practice tests like this one, do the full 6 hours and 250 questions to see how you handle it, this is as much mental stamina and reading the questions right  as it is the actual knowledge.

You can take this test as many times as you want, the questions and the answer order is randomized.  I would suggest 80%+ of right answers consistently on all domains using multiple practice tests before booking the exam.

Take the practice test, find your weak areas, study those and then take it again, rinse/repeat as much as needed.

On this practice test you can see your progress, it saves the previous attempts.


Continue Reading

CISSP certification: Qualitative Risk Analysis.

  • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Qualitative Risk Analysis with the Risk Analysis Matrix.
      • Pick an asset: A laptop.
      • How likely is one to get stolen or left somewhere?
        I would think Possible or Likely.
      • How bad is it if it happens?
        That really depends on a couple of things:
      • Is it encrypted?
      • Does it contain Classified or PII/PHI content?
      • Let’s say it is Likely and a Minor issue, that puts the loss the High Risk category.
      • It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.
Continue Reading

CISSP certification: Access Control Defensive Categories and Types:

Access Control Defensive Categories and Types:

  • Access Control Types (Many can be multiple types – On the exam look at question content to see which type it is).
    • Preventative:
      • Prevents action from happening – Least Privilege, Drug Tests, IPSs, Firewalls, Encryption.
    • Detective:
      • Controls that detect during or after an attack – IDSs, CCTVs, Alarms, anti-virus.
    • Corrective:
      • Controls that Correct an attack – Anti-virus, Patches, IPSs.
    • Recovery:
      • Controls that help us Recover after an attack – DR Environments, Backups, HA Environments .
    • Deterrent:
      • Controls that Deter an attack – Fences, Security Guards, Dogs, Lights, Beware of the dog signs.
    • Compensating: 
      • Controls that Compensate – other controls that are impossible or too costly to implement.
Continue Reading