CISSP certification: ISC² Code of Ethics.

Before you can take the exam you will agree to the ISC² Code of Ethics, they are also very testable on the certification. Learn them.

  • ISC² Code of Ethics
    • You agree to this before the exam, and the code of ethics is very testable.
    • There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.
    • Code of Ethics Preamble:
      • The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
      • Therefore, strict adherence to this Code is a condition of certification.
    • Code of Ethics Canons:
      • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
      • Act honorably, honestly, justly, responsibly, and legally.
      • Provide diligent and competent service to principles.
      • Advance and protect the profession.
Continue Reading

CISSP Friday-Five Questions September 1st 2017.

A DDOS attack is meant to disrupt which leg of the CIA Triad?

When we get his by a DDOS (Distributed Denial Of Service), is disrupts our availability, but not integrity or confidentiality.

In the US security breach notification laws are:

Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.

What is not an example of good multifactor authentication?

Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.

Which type of access control models are based on subjects clearance?

MAC - (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels.

Which is an asymmetric form of encryption?

RSA is asymmetric. 3DES, RC6 and Twofish are all symmetric forms of encryption.

Continue Reading

CISSP Friday-Five Questions: Identity and access management.

In a good password policy, which should be allowed?

Passwords should never contain: The name of a pet, child, family member, significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password". Winter2017 is not a good password, even if it does fulfil the password requirements. The official recommendations by the U.S. Department of Defense and Microsoft. Password history = set to remember 24 passwords. Maximum password age = 90 days. Minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.

Type 1 authentication is:

Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are.

Which authentication form is the worst to have compromised, because it can't be changed?

Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones, biometrics can’t. You can't change your fingerprints, once compromised they are always compromised.

PINs, passwords and passphrases are which type of authentication?

Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are.

Which authentication protocol is no longer considered secure?

TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.

Continue Reading

CISSP Friday-Five Questions: Well-known ports.

On which port does POP3 normally use?

A POP3 server listens on well-known port 110.

Your organization is using a secure website using https://, which port is used by default?

HTTPS URLs begin with "https://" and use port 443 by default, or alternatively 8443, whereas HTTP URLs begin with "http://" and use port 80 by default.

To upload files using FTP which ports would be the common ports?

FTP uses TCP port 20 for FTP data transfer and TCP port 21 for FTP control.

Which well-known ports does email programs use POP3, IMAP, and SMTP

SMTP (Simple Mail Transfer Protocol) uses TCP port 25 as default, but can also use port 2525. POP3 (Post Office Protocol, version 3) uses TCP port 110. IMAP (Internet Message Access Protocol) uses TCP port 143.

Using SSH we log into our cloud servers, which port is assigned to SSH?

The well-known TCP port 22 has been assigned for contacting SSH servers.


Continue Reading

CISSP – Defense in Depth

  • Defense in Depth – Also called Layered Defense or Onion Defense.
    • We implement multiple overlapping security controls to protect an asset.
    • This applies both to physical and logical controls.
    • To get to a server you may have to go through multiple locked doors, security guards, man traps.
    • To get to data you may need to get past firewalls, routers, switches, the server, and the applications security.
    • Each step may have multiple security controls.
    • No single security control secures an asset.
    • By implementing Defense in Depth you improve your organizations Confidentiality, Integrity and Availability.

Continue Reading

CISSP – Liability, due diligence and negligence.

  • Liability:
    • If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
  • Due Diligence and Due Care:
    • Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
    • Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
    • Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
  • Negligence (and Gross Negligence) is the opposite of Due Care.
    • If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
    • If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.
Continue Reading

CISSP – Need to know, least privilege and objects/subjects.

  • Least Privilege and Need to know.
    • Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less.
    • Need to know – Even if you have access, if you do not need to know, then you should not access the data.
  • Non-repudiation.
    • A user can not deny having performed a certain action. This uses both Authentication and Integrity.
  • Subject and Object.
    • Subject – (Active) Most often users, but can also be programs – Subject manipulates Object.
    • Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
    • Some can be both at different times, an active program is a subject; when closed, the data in program can be object.
Continue Reading

CISSP – IAAA (Identification and Authentication, Authorization and Accountability)

  • Identification:
    • Your name, username, ID number, employee number, SSN etc.
    • “I am Thor”.
  • Authentication:
    • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
    • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
  • Accountability (also often referred to as Auditing)
    • Trace an Action to a Subjects Identity:
    • Prove who/what a given action was performed by (non-repudiation).

Continue Reading

CISSP – the CIA Triad and its opposites.

Confidentiality, Integrity and Availability

  • Finding the right mix of Confidentiality, Integrity and Availability is a balancing act.
  • This is really the corner stone of IT Security – finding the RIGHT mix for your organization.
    • Too much Confidentiality and the Availability can suffer.
    • Too much Integrity and the Availability can suffer.
    • Too much Availability and both the Confidentiality and Integrity can suffer.
  • The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
    • Disclosure – Someone not authorized gets access to your information.
    • Alteration – Your data has been changed.
    • Destruction – Your Data or Systems has been Destroyed or rendered inaccessible.

Continue Reading

CISSP – the CIA Triad – Availability!

We want to keep our System and Data available.

  • We use:
    • IPS/IDS.
    • Patch Management.
    • Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more.
    • SLA’s – How high uptime to we want (99,9%?) – (ROI)
  • Threats:
    • Malicious attacks (DDOS, Physical, System compromise, Staff).
    • Application failures (errors in the code).
    • Component failure (Hardware).

Continue Reading