CISSP - Study Guide Notes

Chapter 1: Security Governance Through Principles

and Policies.

CIA Triad: Confidentiality, Integrity and availability

● Primary goals and objectives of security are contained within the CIA triad

●
● Security solutions should address each of these tenants.
● Vulnerabilities and risks are evaluated based on the threat they pose against these
principles.
● Resources are limited, so you have to prioritise security needs according to this triad.
● Confidentiality:
○ A high level of assurance that data, objects, or resources are restricted from
unauthorised subjects. Prevents unauthorised disclosure.
○ Confidentiality while in storage, process, and in transit.
○ Attacks e.g., stealing password files, social engineering, shoulder surfing,
evesdropping, etc.
○ Can be intentional and directed, or a result of human error/oversight.
○ Countermeasures: encryption, network traffic padding, access control,
authentication procedures, data classification and personnel training.
○ Considerations of confidentiality include:
■ Sensitivity - how sensitive is the data?
■ Discretion - An operator’s decision to control disclosure
■ Criticality - is the information mission critical. If yes, more need to
maintain confidentiality.
■ Concealment -
■ Secrecy
■ Privacy
■ Seclusion - storing something in an out-of-the-way location.
■ Isolation - preventing co-mingling of information.
● Integrity
 ○ A high level of assurance that the data is unaltered from its original protected
state
○ The object itself is not altered, and the operating system and programming
entities that manage and manipulate the object are not compromised.
○ Alterations should not occur during storage, process, and in transit.
○ Can be examined from 3 perspectives:
■ Preventing unauthorised subjects from making modifications
■ Precenting authorised subjects from making unauthorised modifications,
such as mistakes
■ Maintaining the internal and external consistency of obhects so that their
data is a correct and true reflection of the real world, and any relationship
with any child, peer, or parent object is valid, consistent and verifiable.
○ Controls:
■ Restricting access to objects (authentication)
■ Activity logging
■ Oversight
■ Intrusion detection systems
■ Object encryption
■ Has total verifications
■ Interface restrictions
■ Personnel training
○ Attacks include viruses, logic bombs, unauthorised access, errors in coding and
applications, malicious modification, intentional replacement, and system back-
doors.
○ Intentional and unintentional violations (e.g., mistakes)
○ Considerations of integrity:
■ Accuracy
■ Thruthfulness
■ Authenticity
■ Validity
■ Nonrepudiation
■ Accountability
■ Responsibility
■ Completeness
■ Comprehensiveness

● Availability
○ Authorised subjects have timely and uninterrupted access to objects
○ High level of assurance that the data, objects and resources are accessible to
authorised subjects
○ Implies:
■ prevention of DoS attacks
■ That supporting infrastructure (including network services,
communications and access control) are functional
 ○ Threats to availability include:
■ Device failure, software errors, environmental issues.
■ DoS (denial of service) attacks, object destruction, communication
interruptions.
○ Threats are intentional and non-intentional
○ Countermeasures:
■ Designing intermediary delivery systems properly
■ Effective access controls
■ Monitoring performance and network traffic
■ Using firewalls and routers to prevent DoS attacks
■ Redundancy for critical systems
■ Maintaining and testing backup systems.
■ Eliminate single points of failure through use of fault-tolerance features
when planning business continuity
■

How Identification works.

● The process by which a subject professes an identity and accountability is initiated.
● A subject must provide an identity to a system to start the process of authentication,
authorization and accountability (AAA).
● Correlation of a subject with an authentication factor.
● Once identified, the identity is accountable for further actions by that subject. IT systems
track identities, not subjects themselves.
● Claiming an identity doesn’t imply access or authority. The identity must be proven or
verified before access to controlled resources is allowed. This process is authentication.

The process of authentication.

●
How authorization fits into a security plan.

Security governance.

The auditing process.

The importance of accountability.

Nonrepudiation.

Security Management planning.

Elements of a formalized security policy structure.

Key security roles.

Implementing security awareness training.

How layering simplifies security.

Abstraction.

Data hiding.

The need for Encryption.

Change control and change management.

How and why we classify data.

Importance of Declassification.
COBIT - Control Objectives for Information and Related
Technology.

Threat modeling (basics).

Understanding the need for security-minded acquisitions.