CISSP certification: Governance vs. Management.

For the certification it is important to know where you are in the organization and answer the questions from that viewpoint.
You are a risk adviser or a IT security manager, answer all questions with that in mind. 

  • Governance vs. Management
    • Governance – This is C-level Executives (Not you).
      • Stakeholder needs, conditions and options are evaluated to define:
        • Balanced agreed-upon enterprise objectives to be achieved.
        • Setting direction through prioritization and decision making.
        • Monitoring performance and compliance against agreed-upon direction and objectives.
        • Risk appetite – Aggressive, neutral, adverse.
    • Management – How do we get to the destination (This is you).
      • Plans, builds, runs and monitors activities in alignment with the direction set by the governance to achieve the objectives.
      • Risk tolerance – How are we going to practically work with our risk appetite and our environment.
Continue Reading

CISSP certification: Top-down Security management and organization structure.

Having top-down IT security leadership in an organization is key to success.
If we do not have the buy-in of senior leadership, we will do a mediocre job at best.

For the CISSP certification questions assume a top-down organization.

In a new survet (ISC)² Finds IT Professionals are an Underutilized Cybersecurity Resource.
Largest association of certified cybersecurity professionals enables IT pros to more quickly attain SSCP® certification and bolster their organization’s security posture.–Underutilized-Cybersecurity-Resource

Key findings from surveyed IT professionals include:

  • 43% said their organization doesn’t provide adequate resources for security training.
  • 35% agreed their security suggestions are acted upon.
  • 55% said their organization doesn’t require IT staff to earn a security certification.
  • 63% said their organization has too few security workers.
  • 51% said their systems are less able to defend against a cyberattack compared to a year ago.

Hiring managers rank communication skills (62%) and analytical skills (52%) as their top desired skills for new candidates, while IT pros cite cloud computing and security (64%), and risk assessment and management (40%) as top skills they believe are needed

Continue Reading

CISSP certification: MAC (Mandatory Access Control)

MAC (Mandatory Access Control): Often used when Confidentiality is most important.

Almost always used in the military or in organizations where confidentiality is very important, rarely used in the private sector (unless in defense contracting).

  • Access to an object is determined by labels and clearance
  • Labels: Objects have Labels assigned to them, the subjects clearance must dominate the objects label.
    • The label is used to allow Subjects with the right clearance access them.
    • Labels are often more granular than just “Top Secret”, they can be “Top Secret – Nuclear”.
  • Clearance: Subjects have Clearance assigned to them.
    • Based on a formal decision on a subjects current and future trustworthiness.

The higher the clearance the more in depth the background checks should be.

Continue Reading

CISSP certification: RBAC (Role based access control).

RBAC (Role Based Access Control): Often used when data integrity is most important.
Most large organizations use role based access control, your access levels are determined by your job role.

  • Policy neutral access control mechanism defined around roles and privileges.
  • A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.
  • It makes administration of 1,000’s of users and 10,000’s of permissions much easier to manage.
  • The most commonly used form of access control.
  • If implemented right it can also enforce separation of duties and prevent authorization/privilege creep .
  • We move employees transferring within the organization from one role to another and we do not just add the new role to the old one.
Continue Reading

CISSP certification: Just launched 4 full 250 question CISSP certification practice exams.

I just published 4 full 250 question CISSP certification practice exams, no repeating questions. 
For the launch they are marked down from $75 to $10!
Take the practice test, find your weak areas, study those and then take it again, rinse/repeat as much as needed.
The questions and answers are randomized each time so it will feel like a new exam if you take it multiple times.

CISSP certification: Full 250 question practice test #1 2017
Regular price $75
Special sales price $10

CISSP certification: Full 250 question practice test #2 2017
Regular price $75
Special sales price $10

CISSP certification: Full 250 question practice test #3 2017
Regular price $75
Special sales price $10

CISSP certification: Full 250 question practice test #4 2017
Regular price $75
Special sales price $10

Continue Reading

CISSP certification: Subject and object.

In access control, we use the terms subjects and objects. Knowing the difference and what both can do is important for the exam.

Subject – (Active) Most often users, but can also be programs – Subjects manipulate object.

Object – (Passive) Any passive data (both physical paper and data) – Objects are manipulated by subject.

It is possible to be both at different times, an active program is a subject; when closed, the data in program can be object.

Continue Reading

CISSP certification: Risk Analysis terms.

Qualitative vs. Quantitative Risk Analysis.

  • For any Risk analysis we need to identify our assets. What are we protecting?
    • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
      • Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, … )
      • Vulnerability – A weakness that can allow the Threat to do harm. Having a Data Center in the Tsunami flood area, not Earthquake resistant, not applying patches and anti virus, …
      • Risk = Threat x Vulnerability.
      • Impact – Can at times be added to give a more full picture. Risk = Threat x Vulnerability x Impact (How bad is it?).
      • Total Risk = Threat x Vulnerability x Asset Value.
      • Residual Risk = Total Risk – Countermeasures.
Continue Reading

IT Security – from Forbes “7 Cybersecurity Questions Every Leader Should Ask”

7 Cybersecurity Questions Every Leader Should Ask

Theresa Payton, former CIO for the White House and current CEO of Fortalice Solutions, a cybersecurity and intelligence consulting firm, identifies the seven cybersecurity questions every business leader should ask.


Continue Reading

CISSP Friday-Five Questions September 8th 2017.

What is WORM media?

WORM Media (Write Once Read Many): CD/DVDs can be WORM Media (R), if they are not R/W (Read/Write).

In IaaS who is responsible for the databases?

IaaS - (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.

Logic bombs will go off when:

Logic Bombs - Malicious code that executes at a certain time or event - they are dormant until the event (IF/THEN). IF Bob is not getting an annual bonus over $10,000, THEN execute malicious code. IF date and time 5/15/18 00:02:12, THEN execute malicious code.

What is polyinstantiation?

Polyinstantiation  (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.

Cryptanalysis is where we:

Cryptanalysis is the science of breaking encrypted communication. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown. It uses mathematical analysis of the cryptographic algorithm, as well as side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation and the devices that run them.

Continue Reading