MGT414 SANS Training for the CISSP ® Certification Exam

CISSP Cram Session

https://mgt414.com #MGT414

Eric Conrad
econrad@gmail.com
Twitter: @eric_conrad
CISSP-CAT: COMPUTERIZED ADAPTIVE TESTING

CISSP exam now adaptive

• Adaptive means the questions received are chosen based upon your
performance and the total number of questions can vary
Test-taking fatigue not as significant due to time/question
reduction:
Time: 3 hours (previously 6 hours)
Questions: 100-150 questions
• "Each candidate will receive 25 pre-test, or unscored items, as part of the
minimum length examination"1
• Types of questions (multiple choice, scenario, etc.) unchanged

MGT414 | SANS Training Program for CISSP® Certification 2

ADAPT AND OVERCOME

"Aftereach item is answered…selection algorithm determines the next item to

present to the candidate with the expectation that a candidate should have
approximately a 50% chance of answering that item correctly."1
Successful students will likely perceive adaptive exam to be more
difficult than previous format
Testing strategy implications:
• No ability to review questions after submission
• Earlier questions extremely important and warrant outsized attention/care
"Spending more time and attention on the first five or ten items on a computer
adaptive test will improve an examinee’s final ability estimate."2

MGT414 | SANS Training Program for CISSP® Certification 3

THE MINDSET OF THE CISSP EXAM

1. Safety is the most important concept

2. Ethics are critical
• Protect society, the common good, necessary public trust and
confidence, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession1
3. Business continuity: protect the organization
4. Increase profits by reducing the risk of financial loss2

MGT414 | SANS Training Program for CISSP® Certification 4

OVERVIEW OF THE 8 DOMAINS

1. Security and Risk Management

2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

MGT414 | SANS Training Program for CISSP® Certification 5

SECURITY OBJECTIVES

Manage and reduce risk across all three areas of

security:
• Confidentiality
• Integrity
• Availability
Must focus on all three but important to put the
three core areas in priority order

MGT414 | SANS Training Program for CISSP® Certification 6

CIA TRIAD: THREE KEY CYBERSECURITY TENETS

INFOSEC

Confidentiality Integrity Availability

(vs. Disclosure) (vs. Alteration) (vs. Destruction)

Only shared among Authentic and Accessible when

authorized persons or Complete. needed by those
organizations. Sufficiently Accurate. who need it.
Trustworthy and
Reliable.

MGT414 | SANS Training Program for CISSP® Certification 7

CONCEPTS AND TERMINOLOGY

• Confidentiality ≠ disclosure
• Integrity ≠ alteration
• Availability ≠ destruction
• Identification
• Authentication
• Authorization
• Accountability

(In these cases, "not equals" means "logical opposite.")

MGT414 | SANS Training Program for CISSP® Certification 8
CONFIDENTIALITY, INTEGRITY, AVAILABILITY, AND PRIVACY (1)

Confidentiality
• Confidentiality aims to prevent the unauthorized disclosure of
information
• Secrets remain secret while confidentiality is maintained
Integrity
• Integrity focuses on prevention of unauthorized modification of
assets
• Applies to both data and systems
• Malware installation would be a violation of a system's integrity
MGT414 | SANS Training Program for CISSP® Certification 9
CONFIDENTIALITY, INTEGRITY, AVAILABILITY, AND PRIVACY (2)

Availability
• Availability ensures required access to resources remains
possible
• Ransomware and denial of service (DoS) attacks represent
obvious breaches of availability
Privacy
• Confidentiality and protection of personally identifiable
information

MGT414 | SANS Training Program for CISSP® Certification 10

IDENTIFICATION, AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (1)

Identification
• Identification provides a weak and unproven claim of identity
• Providing a username would be an example of identification
• Requires proof (authentication) prior to being granted access
(authorization) to controlled data.
Authentication
• Authentication serves as proof a user's identity claim is legitimate
• Strong authentication implies higher integrity means of proof
and/or multiple methods of proof

MGT414 | SANS Training Program for CISSP® Certification 11

IDENTIFICATION, AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (2)

Authorization
• Authorization proceeds after successful authentication and
determines what the authenticated user can do
Accounting
• Accounting (also known as Accountability) details the
interactions performed by individuals
• Audit logs could be generated allowing users to be held
accountable for their documented actions

MGT414 | SANS Training Program for CISSP® Certification 12

TYPES OF AUTHENTICATION

There are four main categories of authentication:

• Something you know (passwords or phrases)
• Something you have (such as a token, smart card, or badge)
• Something you are (biometrics: fingerprints, retina scans, voice,
palm scans, hand geometry)
• Someplace you are (such as GPS)

Using two of these categories is known as two-factor or

multi-factor authentication
MGT414 | SANS Training Program for CISSP® Certification 13
PRINCIPLE OF LEAST PRIVILEGE

Principle of Least Privilege (PoLP) may also be known as

Minimum Necessary Access
• Fundamental principle of security
Mandates individuals only be granted access necessary to
perform their required functions
• Any additional rights, permissions, privileges, or entitlements
would violate this principle
o And would add unnecessary risk to the organization
Sounds easy and straightforward, but is difficult to do well

MGT414 | SANS Training Program for CISSP® Certification 14

SEPARATION OF DUTIES

Goal of Separation of Duties is to limit risk associated with critical

functions/transactions
• Risk is mitigated by requiring two parties to perform what one person could
Requiring multiple individuals to sign off/agree introduces a check
• Separation of Duties serves as a check on excessive authority
Commonly associated with large financial transactions and nuclear
subs
• Hope is to require collusion to perpetrate fraud

MGT414 | SANS Training Program for CISSP® Certification 15

ROTATION OF DUTIES

• Another policy for fraud deterrence/detection is a rotation of

duties or job rotation policy
• Goal is to force other people to be in charge of carrying out key
tasks
o In doing so, they could detect anomalies in the process associated with
fraud
• Common way of detecting fraud associated with printing excess
payroll checks
o Separation of duties could also assist

MGT414 | SANS Training Program for CISSP® Certification 16

DUE CARE AND DUE DILIGENCE

Due Care: Acting as any reasonable person would

• Important concept to the legal matter of negligence, and therein
potential liability
• Sometimes referred to as Prudent Man Rule
Due Diligence: Practices or processes that ensure the
decided upon standard of care is maintained

MGT414 | SANS Training Program for CISSP® Certification 17

ACCESS CONTROL MEASURES

Major types of controls:

• Preventive • Deterrent
• Detective • Recovery
• Corrective • Compensating
Implemented across:
• Administrative (aka directive) • Physical
o Background checks o Locks
o Policies and procedures o Securing laptops
• Technical o Securing magnetic media
o Encryption o The protection of cable
o Smart cards

MGT414 | SANS Training Program for CISSP® Certification 18

RISK MANAGEMENT

• Security is fundamentally about risk

• Goal of Risk Management is to ensure that risks are confined to an
acceptable level
o Obviously, must know risks to ensure they are acceptable
• Perform Risk Analysis to determine risks
o Countermeasure selection performed to reduce risks to an acceptable level

MGT414 | SANS Training Program for CISSP® Certification 19

RISK ANALYSIS

• Simple Risk Formula:

o Risk=Threat x Vulnerability
o Typically using numbers from 0 to 5
o Remember that anything times zero is zero
• Risk Analysis is the application process
• Goal: Determine where the level of risk is unacceptable
o Select appropriate countermeasures
• Two primary approaches to Risk Analysis: Quantitative and
Qualitative risk analysis

MGT414 | SANS Training Program for CISSP® Certification 20

RISK CAN BE COUNTERINTUITIVE

• Which has higher risk due to damage from an earthquake?

o Data center in Boston
o Data center in San Francisco
• San Francisco:
o Threat: 4 (active earthquake zone)
o Vulnerability: 2 (strong seismic building codes)
o Risk == 4 x 2 == 8
• Boston:
o Threat: 2 (much less active earthquake zone)
o Vulnerability: 4 (no seismic building codes until the mid-1970s)
o Risk == 2 x 4 == 8

MGT414 | SANS Training Program for CISSP® Certification 21

QUANTITATIVE RISK ANALYSIS

• Typically, more desirable than qualitative from a business

standpoint
• Attempts to provide precise numerical values to risk statements
o Honest calculations can be cumbersome
• Risk generally tied directly to monetary impacts
o Impact due to threat exploiting a vulnerability

MGT414 | SANS Training Program for CISSP® Certification 22

QUANTITATIVE RISK MANAGEMENT: KEY FORMULAS

Exposure Factor (EF): % Single Loss Expectancy

Asset Value (AV): The
of asset value (AV) at (SLE): Asset Value (AV)
value of the asset
risk due to a threat x Exposure Factor (EF)

Annualized Loss
Annualized Rate of
Expectancy (ALE):
Occurrence (ARO):
Single Loss Expectancy
Frequency of threat
(SLE) x Annualized Rate
occurrence per year
of Occurrence (ARO)

MGT414 | SANS Training Program for CISSP® Certification 23

QUANTITATIVE RISK ANALYSIS EXAMPLE

• You are an information security manager for mgt414.com. Your network has
suffered repeated Denial of Service attacks against your internet web
servers, using malformed web requests from thousands of IP addresses,
resulting in extended outages that resulted in lost online sales.
• Your company makes $1,000,000 profit in online sales per year, and each
DoS attacks cost you 2% of those profits annually. You see an average of six
such attacks per year
• Your staff have identified a cloud-based Web Application Firewall (WAF)
service that will completely mitigate this issue. The service costs $40,000
per year, and will require an additional $10,000 per year in staff costs to
maintain
• Is this a wise purchase?

MGT414 | SANS Training Program for CISSP® Certification 24

LET'S RUN THE NUMBERS

• Asset Value (AV): $1,000,000 per year

• Exposure Factor (EF): 2%
• Single Loss Expectancy (SLE) == AV x EF: $20,000
• Annualized Rate of Occurrence (ARO): 6
• Annualized Loss Expectancy (ALE) == SLE x ARO == $120,000
• Total Cost of Ownership (TCO) of WAF == $50,000 (annual cost
+ maintenance)
• Return on Investment == $120,000 (ALE) - $50,000 (TCO) ==
$70,000
• This is a wise investment
MGT414 | SANS Training Program for CISSP® Certification 25
QUALITATIVE ANALYSIS

• Qualitative Analysis
o Not as overtly tied to dollar amounts associated with potential losses
o Considerably easier to calculate for most environments
• Businesses might not consider as valuable because of the lack of
explicit dollar amounts
• Very useful for prioritization of risks to be addressed

MGT414 | SANS Training Program for CISSP® Certification 26

QUALITATIVE RISK MATRIX

• A common approach to Qualitative IMPACT

Risk Analysis is to build a risk
matrix, such as the one seen here
Low Medium High
• Especially common in
Vulnerability Analysis
High 3 4 5

LIKELIHOOD
Medium 2 3 4

Low 1 2 3

MGT414 | SANS Training Program for CISSP® Certification 27

QUALITATIVE VS. QUANTITATIVE RA

Quantitative Advantages Qualitative Advantages

Tied to $$$ Easier to perform

More likely to sway Yield rapid results
stakeholders
Not as subjective Great for prioritizing

Established practices and Strong starting point

calculations

MGT414 | SANS Training Program for CISSP® Certification 28

EXCESSIVE RISK

Excessive risk does not necessarily mean a lot of risk

• Simply means that the level of risk is unacceptable to the decision
makers
Once determined that the risk exceeds acceptable levels,
the organization must determine how to proceed

MGT414 | SANS Training Program for CISSP® Certification 29

RISK MITIGATION

The most obvious approach to excess risk is to attempt to

reduce the risk to an acceptable level
• Risk Mitigation is taking actions that decrease the risk
• Not the only approach that can be taken in light of excess risk
This is the route that security professionals typically expect
businesses to go

MGT414 | SANS Training Program for CISSP® Certification 30

RISK AVOIDANCE

• Risk Avoidance sounds a bit trite but is a legitimate

response
• Risk Avoidance typically involves deciding not to move
forward with a project that introduces the risk
• Typically occurs when the Annualized Loss Expectancy
(ALE) of a potential new project is projected to have a
negative Return on Investment (ROI)
• Could also involve decommissioning a deployed system

MGT414 | SANS Training Program for CISSP® Certification 31

TRANSFERRING RISK

• Risk Transfer, also known as Risk Sharing, involves a third party

to help address excess risk
o The most common type of Risk Transfer is the purchase of insurance to
pay in the event of a loss
• Another approach to Risk Sharing is to outsource the risky
system or application to a third party
• The outsourcer could have infrastructure such that a loss is less
likely
o Or, the loss could be covered by a Service Level Agreement in a way
similar to insurance

MGT414 | SANS Training Program for CISSP® Certification 32

ACCEPTING RISK

There will always be residual risk

• Even after additional countermeasures are employed, some level
of risk will likely remain
Ultimately, some risk must be accepted
• Either this occurs explicitly and formally
• Or risk acceptance is implicit
Choosing not to employ additional avoidance, transfer, or
mitigation measures is also risk acceptance

MGT414 | SANS Training Program for CISSP® Certification 33

CONTROL IDENTIFICATION

Must identify controls/countermeasures before they can be

selected
Before identifying additional controls
• First, identify existing controls
• Review current controls to see if they can be bolstered without
significant CAPEX (capital expenditure) or OPEX (operational
expenditure)
Also, identify additional countermeasures that could
possibly mitigate risk

MGT414 | SANS Training Program for CISSP® Certification 34

CONTROL/COUNTERMEASURE SELECTION

• ROI is typically easier to justify with preventive controls

• However, do not focus exclusively on preventive
countermeasures
o Prevention techniques can and will be bypassed
o Question is whether you would even know it
• Detective controls are harder to justify with basic TCO and ROI
calculations
o Their value is clear when a previous breach is discovered well after the
intrusion though

MGT414 | SANS Training Program for CISSP® Certification 35

SECURITY ARCHITECTURE: MERGERS AND ACQUISITIONS

• Mergers and Acquisitions represent highly disruptive business

events
o They impact virtually every aspect of both organizations, including
security
• Typically, economies of scale warrant significant consolidation of
information systems
• While large project management teams will be attempting to
ensure the high-level project does not fail
o Often new information security risks are overlooked as not representing
imminent risks

MGT414 | SANS Training Program for CISSP® Certification 36

SECURITY ARCHITECTURE: DEMERGERS AND DEACQUISITIONS

• Demergers and Deacquisitions are often even more disruptive to

security than Mergers and Acquisitions
• If bringing together information systems is a security challenge,
splitting them can be a nightmare
• The difficulty from a security perspective is often related to how
intertwined the now-disparate organizations were

MGT414 | SANS Training Program for CISSP® Certification 37

DOCUMENTATION REVIEW

• Policy (mandatory): Passwords must be changed every 90 days

• Standard (mandatory): Administrators must use Windows Server 2012 R2
as the base operating system
• Procedures (mandatory): Follow these step-by-step instructions to build the
server
• Baseline (discretionary): The specific settings for Windows Server 2012 R2
should match those in the CIS Security Benchmark
• Guidelines (suggestions): To create a strong password, use the first letter of
every word in a sentence
o For example: "I will pass the CISSP in 3 months" becomes the password
"IwptCISSPi3m!"

MGT414 | SANS Training Program for CISSP® Certification 38

GOALS OF CRYPTOGRAPHY

A cryptosystem achieves the following goals:

Confidentiality Data Integrity

Authentication Non-Repudiation

Cryptography is about communications in the presence of adversaries. (Rivest, 1990)

MGT414 | SANS Training Program for CISSP® Certification 39

CREATING A DIGITAL SIGNATURE

From: Cosmo b61358cb9a9db

To: Bishop 10f035bb0b9fd
Subject: War Hash e9755e87ffa2a
Algorithm dd8006cb1c040
The world isn't run by weapons
anymore, or energy, or money. 671e50c1592c
It's run by little ones and
zeroes, little bits of data.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJOixjhAAoJEO0hDEoY65E+fPEH/
gmk1GESj2oqo6EF7ln2GPNUO4i2oC9tuyLELjAFfu
KqW0JpINEipO6Q/84Jb0E/mbxHQ1EX52dosBJT83Q
cnxCLMAtEtFoL+45Z1tmONbbqYU2e4IMls+LJcKGs
KbXDDAHW56Qm84gRfl/EZu6CRFrNRToAVZRGMJPHs
Encrypt with private key
SdWCo+Zmtxt08ltI+QbM+JyhhExyarSIyoe2twj71
=ybpb
-----END PGP SIGNATURE-----

MGT414 | SANS Training Program for CISSP® Certification 40

VERIFYING A DIGITAL SIGNATURE

From: Cosmo b61358cb9a9db

To: Bishop 10f035bb0b9fd
Subject: War Hash e9755e87ffa2a
Algorithm dd8006cb1c040
The world isn't run by weapons
anymore, or energy, or money. 671e50c1592c
It's run by little ones and
zeroes, little bits of data.
Compare
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux) b61358cb9a9db
10f035bb0b9fd
Decrypt with
iQEcBAEBAgAGBQJOixjhAAoJEO0hDEoY65E+fPEH/
gmk1GESj2oqo6EF7ln2GPNUO4i2oC9tuyLELjAFfu
KqW0JpINEipO6Q/84Jb0E/mbxHQ1EX52dosBJT83Q e9755e87ffa2a
cnxCLMAtEtFoL+45Z1tmONbbqYU2e4IMls+LJcKGs
KbXDDAHW56Qm84gRfl/EZu6CRFrNRToAVZRGMJPHs
Public Key dd8006cb1c040
SdWCo+Zmtxt08ltI+QbM+JyhhExyarSIyoe2twj71
=ybpb 671e50c1592c
-----END PGP SIGNATURE-----

MGT414 | SANS Training Program for CISSP® Certification 41

SSL CRYPTO: AN ILLUSTRATION

1. Client Web Request

2. Server Responds
3. Client validates certificate & crypto
4. Client encrypts the session key
5. Session key exchange
6. Server decrypts the session key
7. Client "finished"
8. Server "finished"
9. Encrypted messages are exchanged
1

MGT414 | SANS Training Program for CISSP® Certification 42

SECURE DEVELOPMENT LIFECYCLE CONSIDERATIONS

Planning

Decommissioning Provisioning

Operating

Names of phases aren't important, but the implied concepts are

MGT414 | SANS Training Program for CISSP® Certification 43

OPTIONS FOR SECURELY ERASING FLASH DRIVES AND SSDS

• Use encryption: Never store unencrypted data on the device

• Two common options for devices that contain unencrypted data:
o Use ATA Secure Erase
o Physically destroy the device
• ATA Secure Erase is easier/cheaper
o More thorough than an OS-level sector-by-sector overwrite
o Risk: Physical damage prevents full erasure
• Physical destruction is more expensive but more secure

MGT414 | SANS Training Program for CISSP® Certification 44

THANK YOU!

• I posted a copy of this talk at https://ericconrad.com

• Check out https://mgt414.com for an upcoming schedule
of SANS Training Program for CISSP® Certification
classes
• My contact information:
o econrad@gmail.com
o Twitter: @eric_conrad

MGT414 | SANS Training Program for CISSP® Certification 45