CISSP Summary

This is my learning guide for preparation of the CISSP exam. It covers the essential information on all relevant domains. I aim to keep it as brief as possible leaving out most of the basics, so some previous knowledeg of IT security is mandatory.

Access Control

Subjects ability to communicate with an object is allowed/denied based on security requirements. It is needed to protect information, computers, networks and all other infrastructure (buildings).

• CIA triad: confidentiality, integrity, availability
• identify relationships between resources (which entities need to be protected) and users (identify who needs access), set access control levels
• least privilege/need to know principle: give minimum access needed only for the tasks they need to perform, default to no access
• separation of duties: distribute tasks/rights/privileges between users, deter fraud, split knowledge
• three authentication factors:
  • knowledge factor: something a person knows (e.g. PIN)
  • ownership factor: something a person possesses (e.g. smart card)
  • characteristic factor: something a person is (e.g. fingerprint)
• password types:
  • standard/simple: single words, upper/lowercase
  • numeric: just numbers
  • combination: mix of dictionary words
  • static: same for each login, insecure
  • complex: upper/lowercase, numbers, special characters
  • passphrase: long phrase
  • cognitive: verify identity via asking series of questions
  • one-time: initial login, discraded after use
  • graphical: CAPTCHA
• manage passwords by limiting life (no. of days), history (prevent re-use), period (session time without activity), complexity, length
• ownership factors: synchronous/asynchronous token (handheld device), memory card (swipe card with auth info, data not protected), smart card (ICCs with a chip, usually protected with PIN)
• physiological systems/biometrics:
  • fingerprint, finger scan (less characteristic than fingerprint)
  • hand geometry, hand topography
  • palm or hand scans
  • facial/retina scans (retina blood vassel pattern)
  • iris scans
  • vascular scans (pattern of veins in hand/face, risk of false rejections)
• behavioral characteristics:
  • signature dynamics (strike speed, pen pressure, acceleration)
  • keystroke dynamics (typing pattern, flight/dwell time)
  • voice pattern/print (sound pattern)
• biometric considerations:
  • enrollment time: time to obtain the sample (# of repetitions)
  • feature extraction: approach to obtain information from sample
  • accuracy
  • throughput rate (shouldn't take longer than 5-10 seconds)
  • acceptability (regarding users)
  • FRR: false rejection rate or Type 1 error
  • FAR: false acceptance rate or Type 2 error (more dangerous)
  • CER: crossover error rate (percentage), when FRR=FAR, most important metric
• most effective: iris scan, retina scan, fingerprint
• highest acceptance: voice pattern, keystrok pattern, signature dynamics
• Directory Services: X.500 (DAP), LDAP, X.400 (generally replaced by SMTP)
• SSO: enter credentials once, access all resources throught the network
• simple to administrate, stronge passwords enforceable, faster access to resources, efficient login, only one password to remember
• single vulnerability affects all systems (esp. hackers)
• Kerberos: SSO system with symmeric crypto, default in Windows Server/Linux/MacOS, central Key Distribution Center is repo for all users/keys
• KDC is single point of failure, needs to scale, session keys need to be protected, Kerberos traffic need to be encrypted, all systems need synchronized clocks, susceptile to password-guessing attacks
• SESAME extends Kerberos, also uses asymmetric crypto and a trusted auth server at each host
• federated identity: portable identity across businesses/domains
• cross-certification: each organization certifies all other organizations as trusted (meet standards), due dilligence
• trusted 3rd üarty/bridge model: each organization subscribes to standards of 3rd party
• security domain: set of resources available to subjects over a networks
• auditing monitors user events and also network/system/application events and keystroke activity
• guidelines:
  • audit log mgmt plan needed (control log size, backup process, review plan)
  • deletion of audit log should be two-man control (two admins), otherwise impossible
  • high-privilege accounts need to be monitored (root/admins)
  • audit trail monitors transactions (who, when, whre and success/failure)
• vulnerability assessment: identify areas of weakness in network, asset priorization
  • personal: review standard practices/procedures
  • physical: facility/perimeter protection
  • system/network: review system, network and network topology
• penetration testing simulates an attack to identify threads
• steps:
  • document info on target system/device
  • gather information on attack methods (e.g. via port scan)
  • identify known vulnerabilities
  • execute attacks to gain privileged access
  • document results, report findings
• strategies:
  • blind test: limited knowledge of system, organization knows that test will happen
  • double-blind test: same, but organizations does not know about test
  • target test: maximum info about network and test on both sides
• knowledge levels:
  • zero: attacker knows nothing on organization's network (closed/black box testing)
  • partial: public knowledge on network
  • full: all details are provided
• access control (AC) categories:
  • compensative: mitigate risks, substitute for primary AC (e.g. two keys for two people)
  • corrective: reduce effect of attack, restore entity (e.g. server images, fire extinguishers)
  • detective: detect attack, e.g. IDS, logs, job rotation
  • deterrent: deter/dicourage attacker e.g. authentication,fences, lighting, NDA
  • directive: acceptable practices within an organization, AUP (acceptable use policy)
  • preventive: locks, badges, encryption, guards, training, ...
  • recovery: restore resources, e.g. backups, offsite facilities
• AC types:
  • administrative (mgmt) controls: soft controls, e.g. supervision, personnel controls, security awareness training
  • logical (technical) controls: restrict access to SW/HW components, e.g. firewalls, passwords, IDS
  • physical controls: protect facilities, e.g. badges, guards, dogs, cabling
• AC models:
  • discretionary AC: owner specifies subjects to access the resource (need-to-know)
  • mandatory AC: auth is based on security labels (only admins may modify), more secure than DAC
  • role-based AC: each subject has 1-n roles, not as secure as DAC+MAC
  • rule-based AC: global rules for all users, uses profiles to control access, often used by routers/firewalls
  • content dependent AC: access determined by data contained within the object
  • context dependent AC: access based on subject/object attributes and environment (e.g. login only at specific time of day)
  • ACM: capabilities table that lists subjects/objects and applicable subject actions
  • ACL: objects column from ACM
• AC threads:
  • passwords: dictionary or brute force
  • social engineering: phishing, shoulder surfing, identity theft
  • DoS/DDoS: flood a device with requests to degrade performance
  • buffer overflow: code injection, avoided by inout validation and regular updates
  • mobile code: SW transmitted across network (JS, applets, ActiveX)
  • malicious software: virus, worm, trojan horse, spyware
  • spoofing: communication from attacker appears to come from trusted source, via IP/link spoofing, man-in-the-middle
  • sniffing/eavesdropping: collect all trabsmitted data from medium
  • emanating: emit electromagnetic signals (shielding)
  • backdoor/trapdoor: unlimited access implemented on purpose

Telecommunications and Network Security

Protect data at rest (storage) and in transit (network). Each layer adds new information but makes no modification to the data received from above.

• OSI model: protocol set, breaks communication process into layers
  • Application (7): receives data from app and provides services (HTTP/DNS/FTP)
  • Presentation (6): standardize formatting of info (MIME/XDR)
  • Session (5): enable communication between service/app on source with service/app on destination (NetBIOS/RTP/TLS/SSL)
  • Transport (4): determine transport protocol and port (TCP/UDP)
  • Network (3): route the packet, e.g. via source/destination address (IP/ARP/ICMP)
  • Data Link (2): determine physical destination address (ATM/SLIP/802.2/Ethernet)
  • Physical (1): turn info into bits and send it (DSL/USB/Bluetooth)
• TCP/IP operates on multiple levels of OSI (conceptual model)
• has Application (7,6,5), Transport (4), Internet (3) and Network Access (2,1) layers
• Three-way-handshake: Establish connection state before the actual data transfer
  1. send packet with SYN flag to create connection
  2. host acknowledges by sending packet with both SYN and ACK
  3. sender completes process by sending packet with ACK flag
• guarantees delivery (resend on failure), sequencing (packets may not arrive in order, therefore sequence number), flow control (receiver may send ACK packets back to trigger slowdown)
• Encapsulation: each layer adds information to header, devices only read the layers they're concerned about
• IP: put source/destination IP in packet to route it
• ICMP: Control Message Protocol, PING to indicate success/failure of communication
• IGMP: Group Mgmt Protocol, needed for multicasting/broadcasting to send to multiple hosts
• POP (Post Office Protocol) / IMAP (Message Access Protocol): app layer protocols for mail retrieval, IMAP allows mail copies on server/client
• SMTP: Simple Mail Transfer Protocol
• ARP: Address Resolution Protocol, resolve destination IP from MAC/IP layer 2 address
• NAT: Network Address Translation, service that changes private IP to public one, usually used for PAT (Port Address Translation) so the entire private network is represented by a single public IP
• DHCP: Dynamic Host Configuration Service, automate assigning IPs to devices
• DNS: Translate IP into computer/domain names
• SHTTP: only encrypts served and submitted data (HTTPS encrypt everything)
• SNMP: Simple Network Management Protocol, retrieve information from network devices
• multicast: one-to-many, broadcast: one-to-all
• systems may communicate synchronously (via clocking) or asynchronously (start/stop bits) to know when a specific communication begins/ends
• baseband uses medium for single transmission, multiple transmission types get different time slots (TDM, Time Division Multiplexing)
• broadband divides medium into different frequencies (FDM, Frequency Division Multiplexing) for simultaneous use (example: DLS - internet and phone work in parallel due to different frequencies)
• distance vector: routers share routing table with neighbour routers on schedule (most traffic), e.g. RIP
• link state: routers share network changes on schedule, e.g. OSPF, IS-IS
• hybrid routing: mixing both types, e.g. EIGRP (Cisco-only)
• VRRP: Virtual Router Redundancy Protocol, provide multiple gateways to clients in case a router dies, multiple physical routers are mapped to it and hosts use it as default gateway
• BGP: Border Gateway Protocol, path vector protocol, used for routing between autonomous systems (internet)
• VLAN: logical subdivisions to segregate ports as if they are in different LANs
• Layer 4 switches provide additional routing above layer 3 to make routing decisions, can be used for QoS by priorizing traffic
• Gateway: acts as control point to entry/exit, performs transformation
• NAS: Network Access Server, controls access to server
• packet firewall: only analyzes the header of a packet for IPs/port numbers
• stateful firewalls also verify proper TCP handshake
• proxy firewalls is a relay between endpoints, makes the connection on behalf of them
• SOCKS: circuit-level firewall without deep packet inspection (application-level proxies do that)
• dynamic packet filtering analyzes both send/return ports and allows variation (via rule)
• kernel proxy firewall analyzes packet at every layer in OSI but remains fast since it does it at lernel layer
• bastion host/firewall is directly connected to internet
• dual-home firewall has two network interfaces (one to internal and one to untrusted network)
• multihomed/three-legged firewall: also connected to DMZ
• DMZ: demilitarized zone, systems that are accessed from untrusted network
• screened host: firewall between final router and internal network / screened subnet: two firewalls, traffic must pass both
• typical applications, protocols and ports:
  • Telnet: TCP/UDP, 23
  • SMTP: UDP, 25
  • HTTP: TCP, 80
  • SNMP: TCP/UDP, 161/162
  • FTP: TCP/UDP, 20/21
  • POP3: TCP/UDP, 110
  • DNS: TCP/UDP, 53
  • DHCP: UDP, 67/68
  • SSH: TCP, 22
  • LDAP: TCP/UDP, 389
• IP classes represent range of addresses, only A-C used for individual NW devices
  • class A: 0.0.0.0-127.255.255.255, Mask 255.0.0.0
  • class B: 128.0.0.0-191.255.255.255, Mask 255.255.0.0
  • class C: 192.0.0.0-223.255.255.255, Mask 255.255.255.0
  • class D: 224.0.0.0-239.255.255.255, used for multicasting
  • class E: 240.0.0.0-255.255.255.255, reserved for research
• address classes for private IPs (not used in internet)
  • class A: 10.0.0.0-10.255.255.255
  • class B: 172.16.0.0-172.31.255.255
  • class C: 192.168.0.0-192.168.255.255
• attenuation limits speed due to (physical) resistance in cables, weakens signal so each cable type has max. length
• Thicknet (10Base5) and Thinnet (10Base2) both run with 10 MBps max but use different connectors
• Twisted Pair contains 4 twisted wires to avoid crosstalk
• RFI: radio interference
• EMI: interference from power lines
• Network topologies: ring, bus, star (central switch), mesh (n:n), hybrid (combination)
• network twisted pair cable categories:
  • Cat3: max. 10 Mbps
  • Cat4: max. 16 Mbps
  • Cat5/Cat5e: max. 100 Mbps
  • Cat6: max. 1 Gbps
  • Cat6e: max. 10 Gbps
• Ethernet implementations:
  • number indicated speed in Mbps, 2/5 indicate Coaxial, T indicated Twisted Pair, X indicated fiber
  • 10Base5: 10 Mbps Coaxial / 100BaseT: 100 Mbps Twisted Pair / 10GBaseT: 10 Gbps Twisted Pair
• Token Ring is proprietary network protocol (IBM) with specific cards, fell from favour due to Ethernet
• FDDI (Fiber Distributed Data Interface) also ring-based protocol for fiber, double-ring for fault tolerance
• Token passing used by Token Ring and FDDI, token is passed around, station can only send once it has a valid one
• CSMA/CD: 802.3 implements Carrier Sense Multiple Access Collision Detection:
  1. Before transmitting, check wire for existing traffic (CS)
  2. when clear, transmit and continue CS
  3. when collision, jam signal for all other devices to NOT transmit, increment retransmission counter
  4. calc random time (random back-off) to wait before retransmit
  5. transmit, repeat
• CSMA/CA: for 802.11 wireless collision can't be detected, so each station must acknowledge each frame has been transmitted
  1. Station A performs CS and continues monitoring for collisions
  2. if transmitting, station A decrements internal countdown (back-off), when it expires it is allowed to send, each station has individual timer
  3. if station A performs CS there is no traffic and timer = 0 it sends the frame
  4. frame goes to AP
  5. AP sends ACK to station A, all other stations are silent
  6. cache queue holds frame and relays it to station B
  7. station B sends ACK to AP, all other stations are silent
• Polling is another contention method, promary device pools others to see whether tehy want to transmit (used in mainframes)
• fiber has single (single beam, goes very far) and multi (several beams, don't go that far) mode
• PBX: Private Branch Exchange, private telephone switch with direct connection to telco provider switch, performs call routing (one outside line / 20 internal phones)
• cloud computing: make resources available in web-based data center
  • IaaS: vendor provides hardware/data center, company installs OS/app systems
  • PaaS: vendor also provides software
  • SaaS: vendor provides entire solution (also application)
• MAN: Metropolitan Area Network, large area like downton of city
• Metro Ethernet: uses Ethernet over wide area
• WAN technologies differ in capacity, cost and availability
• T carriers are dedicated/private lines for a single customer
  • Fractional: 1/24 of T1s, 1 channel, 0.064 Mbps (so customer can purchase a part of T)
  • T1: 1 T1, 24 channels, 1544 Mbps
  • T3: 28 T1s, 672 channels, 44736 Mbps
• E carriers are used in Europe, also three levels (E0 64 Kbps, E1 2048 Mbps, E3 8448 Mbps)
• optical carrier (OC) lines (SONET) are fiber-based links (OC-9 466.56 Mbps, OC-19 933.12 Mbps, OC-48 2488 Gbps, OC-3072 160 Gbps)
• CSU/DSU: Channel Service Unit/Data Service Unit connects LAN to WAN
• circuit switching: use single path for entire transmission, e.g. telephone (ATM)
• packet switching: establish optimal path for each packet (e.g. X.25)
• ATM: Asnychronous Transfer Mode, cell-switching technology, uses same path for communication, predictable
• SMDS: Session Multimegabit Data Service, connectionless packet-switching across public network, replaced by other WAN technologies
• PPP: Point-to-Point Protocol, performs framing/encapsulation of data across connections, layer 2
• HSSI: High Speed Serial Interface: physical implementation of serial interface, layer 1, connects to services like frame relay or ATM
• PSTN: Public Switched Telephone Network, only used for modems/ISDN ion dial-up connections
• SS7: Signaling System 7: setup/control/diconnect call in circuit-switching networks
• SIP: Session Initiation Protocol: used by VoIP to break up call sessions, can operate over TCP/UDP
• SLIP: Serial Line Internet Protocol for dial-up connections, made obsolete by PPP
• ISDN: Integrated Service Digital Network, digital dial-up but faster than analog, can be provisioned with basic rate (BRI, 3 C channels with 64kbps and 1 D channel with 16) or primary rate (23B and one D channel)
• DSL/DASL/HDSL/VDSL: Digital Subscriber Line, HDSL provides T1 speed, VDSL is capableof HDTV and VoIP
• DOCSIS: Data-Over-Cable Service Interface Specifications, standard for cable modems
• VPNs use untrusted carrier network but protect information by strong authentication/encryption
• PPTP: Microsoft protocol based on PPP, uses MS encryption and different authentication methods, only works in IP-based networks
• L2TP: newer protocol, no encryption (usually provided by IPSec, very strong)
• IPSec is suite of protocols for encryption, combines
  • Authentication Header (AH): provide data integrity, origin authentication
  • ESP: Encapsulating Security Protocol: like AH and also data confidentiality
  • ISAKMP: Internet Security Association and Key Management Protocol, creates security association for session, exchanges keys
  • IKE: Internet Key Exchange, provides authentication material used to create keys
• TACACS/RADIUS: protocols for centralized authentication/authorization (central servers), TACACS and TACACS+ are Cisco
• RADIUS is a standard, three components: supplicant (seeks auth), authenticator (device to connect) and RADIUS server (auth server)
• PAP: Password Authentication Protocol, authentication with credentials in clear text (insecure)
• CHAP: Challenge Handshake Authentication Protocol, works via challenge (client/server encrypt random text, decrypt with password so it is not send across the wire)
• EAP: Extensible Authentication Protocol, same components as RADIUS, various implementations (e.g. PKI)
• TLS/SSL: secure connection to server, Application Layer, protect HTTP traffic/servers
• WLAN standard has been amended a few times to add features/functionality
• 802.11a: uses OFDM, 5GHz frequency band, up to 54 Mbps
• WEP is insecure since it uses RC4 algorithm which is easy to crack
• WPA secures WLAN, Personal (preconfigured password) and Enterprise (requires auth server) profiles
  • WPA Personal: Preshared key for AC, TKIP encryption, Michael Integrity
  • WPA Enterprise: 802.1X for AC, TKIP encryption, Michael Integrity
  • WPA2 Personal: Preshared key for AC, CCMP/AES encryption, CCMP integrity
  • WPA2 Enterprise: 802.1X for AC, CCMP/AES encryption, CCMP integrity
• FHSS: Frequency Hopping Spread Spectrum, changes frequencies or channels every few seconds following a pattern transmitter and receiver know, up to 2 Mbps
• DSSS: Direct Sequence Spread Spectrum, modulation technique, spreads transmission across spectrum, up to 11 Mbps
• OFDM: Orthogonal Frequency Division Multiplexing, more advanced modulation, sub-carriersignals carry data across several parallel streams, up to 54 Mbps
• FDMA: Frequency Division Multiple Access, used in 1G, one frequency band for each subscriber
• CDMA: Code Division Multiple Access, unique code to each transmission and spread data across spectrum
• phone cloning: copies of SIM chips in GSM so another user can make calls just like original user
• Infrastructure/ad hoc mode: Infrastructure has Access Point used by all stations (no station-to-station communication), ad hoc is without AP
• Bluejacking: adds business card via message to victims contact list via Bluetooth
• Bluesnarfing: Unauthrized access to device via Bluetooth
• Ping of Death: send oversized ICMP packets, might freeze the victim
• DDOS: Distributed Denial Of Service, DoS by multiple devices (botnet)
• Smurf attack: DoS via ICMP ECHO REQUEST packet from broadcast address, reply goes to multiple hosts
• Ping scanning: ping every IP and keep track of responses
• DNS cache poisoning attack: attacker attempts DNS cache update with a wrong address (fake website)
• DNSSEC: DNS security, validates message source by digital signatures, requires a PKI
• URL hiding: use fake website in embedded url (bad href)
• domain grabbing: register domain as private person with a well-known brand/company name (hostage)
• cybersquatting: register domain with no intent of using them
• email spoofing: fake mail source (message appears to come from valid sender)
• spear phishing: link to site that appears to be "trusted", targeted at specific person (e.g. with help of social media)
• whaling: like spear phishing but even more specific (e.g. CEO)
• wardriving: search for WLAN by riding around with wireless device, when found: use chalk to makr it and its security used (warchalking)
• SYN ACK attack: send many SYN packets, ACK packets in step 3 never come (DoS)
• session highjacking: hacker gets into middle of conversation, tries to take over one session to get all data
• port scan: scan network for open ports via ICMP
• teardrop: maxmimum transmission unit (MTU) may cause packet to be broken fragmented, hacker manipulates these packets to crash target system when it reassembles them
• IP address spoofing: hacker alters IP so it passes firewall/ACL