Eleventh Hour CISSP®

1. Foundation: Security Rests on CIA, AAA, and Ethics

Confidentiality, integrity, and availability are referred to as the CIA triad, which is the cornerstone concept of information security.

Core security principles. The CIA triad (Confidentiality, Integrity, Availability) forms the bedrock of information security, aiming to prevent unauthorized disclosure, modification, and denial of access to information. Its inverse, DAD (Disclosure, Alteration, Destruction), highlights the negative outcomes security seeks to avoid. Understanding these concepts is fundamental across all security domains.

Controlling access and actions. Identification (claiming an identity) is followed by Authentication (proving the claim), Authorization (defining allowed actions), and Accountability (logging actions for audit). This AAA framework ensures that only verified users can perform permitted tasks, and their activities are traceable. Nonrepudiation, combining authentication and integrity, prevents users from denying their actions.

Ethical conduct is paramount. Information security professionals are often entrusted with highly sensitive data, making ethical behavior non-negotiable. Codes of ethics, like the (ISC)² Code, prioritize protecting society, acting honorably, providing competent service, and advancing the profession. Understanding these ethical guidelines is crucial for maintaining trust and professional integrity.

2. Risk Management is the Core Discipline

To have risk, a threat must connect to a vulnerability.

Quantifying potential loss. Risk is fundamentally the potential for loss resulting from a threat exploiting a vulnerability. Quantitative risk analysis attempts to assign monetary values to risk using metrics like Asset Value (AV), Exposure Factor (EF), Single-Loss Expectancy (SLE = AV x EF), Annual Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE = SLE x ARO). This allows for cost-benefit analysis of security controls.

Evaluating likelihood and impact. Qualitative risk analysis uses subjective scales (e.g., High, Medium, Low) for likelihood and impact, often visualized in a risk matrix. While less precise than quantitative methods, it's faster and useful for prioritizing risks that are hard to monetize. Both methods inform decisions on how to handle risk.

Strategic risk responses. Once risks are identified and analyzed, organizations must choose a response:

• Accept: Tolerate the risk, often because mitigation cost exceeds potential loss.
• Mitigate: Implement controls to reduce the risk (e.g., encryption to reduce data breach impact).
• Transfer: Shift the risk to a third party (e.g., insurance).
• Avoid: Eliminate the risk by not engaging in the activity that creates it.

3. Asset Security Protects Valuable Information

Data remanence is data that persists beyond noninvasive means to delete it.

Categorizing and protecting data. Asset security focuses on protecting information throughout its lifecycle, starting with classification (e.g., Confidential, Secret, Top Secret, or Internal Use Only, Company Proprietary). This classification determines the required security controls, including labels for objects and clearances for subjects. Formal access approval and the principle of need to know further refine access based on job requirements.

Managing data ownership and handling. Clear roles are essential: Business/Mission Owners fund and prioritize security; Data Owners are managers responsible for specific data protection; System Owners manage the systems holding data; Custodians perform hands-on protection (backups, patching); and Users must follow policy. Data Controllers create/manage data, while Data Processors manage it on their behalf. Data collection should be limited to the minimum necessary.

Securely handling and destroying data. Data remanence is a critical concern, as simply deleting or formatting media doesn't remove the data. Secure destruction methods are necessary:

• Overwriting: Writing new data over old data.
• Degaussing: Using a strong magnetic field (for magnetic media only).
• Destruction: Physically destroying the media (incineration, shredding, pulverizing).
  SSDs require specific methods like ATA Secure Erase or physical destruction due to their different technology.

4. Security Engineering Builds Resilient Systems

Security models provide rules of the road for security in operating systems.

Formalizing security policy. Security models translate abstract security policies into concrete rules for system design and implementation. The Bell-LaPadula model focuses on confidentiality ("no read up," "no write down"), while the Biba model prioritizes integrity ("no read down," "no write up"). Other models like Clark-Wilson (integrity via constrained transactions) and Chinese Wall (conflict of interest) address specific business needs.

Designing for defense-in-depth. Secure system design employs principles like layering (separating functionality into tiers), abstraction (hiding complexity), and security domains (grouping subjects/objects with similar needs). The Ring Model is a hardware layering concept (Ring 0 for kernel, Ring 3 for user) that isolates processes. Open systems use standard components, while closed systems use proprietary ones.

Securing hardware and software. Hardware architecture includes securing the CPU (ALU, Control Unit, Fetch/Execute, Pipelining, Interrupts), memory (protection, segmentation, virtual memory, swapping), and components like TPM chips for hardware-based crypto. Software architecture focuses on the kernel (the OS core) and the reference monitor, which mediates all subject-object access to enforce policy. DEP and ASLR protect against code execution exploits.

5. Cryptography is the Science of Secrets

Cryptography is secret writing, a type of secure communication understood by the sender and intended recipient only.

Core cryptographic goals. Cryptography provides essential security services: Confidentiality (keeping data secret), Integrity (ensuring data hasn't been altered), Authentication (verifying identity), and Nonrepudiation (preventing denial of action). It achieves this through ciphers (algorithms) that transform plaintext into ciphertext using keys. Strong crypto relies on complex math and public algorithms, not secrecy.

Fundamental operations. Ciphers use basic operations: Substitution (replacing one character/bit with another) and Permutation (rearranging characters/bits). Confusion (making the relationship between plaintext and ciphertext complex) and Diffusion (spreading the impact of a single plaintext bit change across the ciphertext) are goals achieved through these operations, often using the XOR operation.

Types of encryption. Three main types exist:

• Symmetric: Uses a single secret key for encryption/decryption (e.g., DES, AES). Fast but key distribution is a challenge. Can be stream or block ciphers, using IVs and chaining (CBC, CFB, OFB, CTR) to enhance security.
• Asymmetric: Uses a public/private key pair (e.g., RSA, Diffie-Hellman, ECC). Slower but solves key distribution. Used for secure key exchange and digital signatures.
• Hashing: One-way transformation (algorithm, no key) creating a fixed-length message digest (e.g., MD5, SHA). Primarily provides integrity. Vulnerable to collisions.

6. Physical and Environmental Security are Foundational

Physical security is implicit in most other security controls, and it is often overlooked.

Layered physical defenses. Physical security prevents unauthorized access to facilities and assets. Defense-in-depth applies multiple controls:

• Perimeter: Fences, gates (Class I-IV), lighting (Fresnel, lumen, lux), CCTV (detective/deterrent), motion detectors (ultrasonic, microwave, photoelectric, PIR).
• Building Shell: Doors, windows (bullet-proof, wire mesh), walls, floors, ceilings (slab-to-slab).
• Internal: Locks (key, combination, electronic), smart cards/magnetic stripe cards, mantraps/turnstiles (prevent tailgating), contraband checks, guards, dogs.

Site selection and design. Choosing a secure site considers utility reliability (power, telecom), crime rates, and proximity to hazards. Design issues include avoiding external marking, managing shared tenancy/adjacent buildings, securing shared telecom demarcs, and ensuring secure off-site media storage.

Environmental controls protect assets. Maintaining a stable environment is crucial for equipment and personnel:

• Electricity: Protecting against faults (blackout, brownout, fault, surge, spike, sag) using surge protectors, UPS, generators. Mitigating EMI (crosstalk) via shielding and cable management.
• HVAC: Maintaining temperature (68-77F) and humidity (40-55%) to prevent overheating, static, and corrosion. Using positive pressure and drainage.
• Fire Safety: Detecting (heat, smoke - ionization/photoelectric, flame - IR/UV) and suppressing fires (Classes A, B, C, D, K) using appropriate agents (water, soda acid, dry powder, wet chemicals, CO2, Halon/substitutes like FM-200). Personnel safety (evacuation routes, drills, roles) is paramount.

7. Network Security Connects and Protects

Communications and network security focuses on the confidentiality, integrity, and availability of data in motion.

Understanding network models. The OSI model (7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application) provides a conceptual framework. The TCP/IP model (4 layers: Network Access, Internet, Transport, Application) is the practical implementation used today. Data units change names per layer (bits, frames, packets, segments).

Key network devices. Different devices operate at different layers:

• Layer 1: Repeaters, Hubs (simple signal boosting, no intelligence).
• Layer 2: Bridges, Switches (forward traffic based on MAC addresses, create collision domains, support VLANs).
• Layer 3: Routers (forward traffic based on IP addresses, connect different networks).
• Layer 3-7: Firewalls (filter traffic - packet filter, stateful, proxy).

Protocols for communication. Numerous protocols govern network communication:

• Transport: TCP (reliable, connection-oriented, uses ports), UDP (unreliable, connectionless, faster, uses ports).
• Internet: IPv4/IPv6 (addressing, routing), ICMP (error reporting).
• Application: HTTP/S, FTP, Telnet, SSH, SMTP, POP, IMAP, DNS.
• WAN: T-carriers, E-carriers, Frame Relay, MPLS.
• Wireless: 802.11 (WEP, WPA/WPA2/802.11i), Bluetooth (802.15), RFID.

8. Identity and Access Management Controls Entry

Identity and access management (also known as access control) is the basis for all security disciplines, not just IT security.

Verifying identity claims. Authentication methods prove a subject's identity:

• Type 1 (Something You Know): Passwords (static, passphrase, one-time, dynamic), PINs. Vulnerable to guessing, cracking (dictionary, hybrid, brute-force, rainbow tables, mitigated by salts).
• Type 2 (Something You Have): Tokens (synchronous, asynchronous challenge-response), smart cards.
• Type 3 (Something You Are): Biometrics (fingerprint, retina, iris, hand geometry, voiceprint, facial scan, keyboard dynamics, dynamic signature). Accuracy measured by FRR (Type I error), FAR (Type II error - worse than FRR), and CER/EER.
• Someplace You Are: Location-based (GPS, IP geolocation).

Implementing access control. Systems use various technologies:

• Centralized: Single point of control (e.g., using a central AS like RADIUS, Diameter, TACACS+). Supports SSO. Requires routine user entitlement review to prevent authorization creep.
• Decentralized: Control distributed across systems/locations. Can lead to inconsistency.
• Federated Identity Management (FIdM): SSO across organizations (e.g., using SAML).
• Identity as a Service (IDaaS): Cloud-based identity management.
• Directory Services: LDAP provides a standard protocol for querying user/resource info.
• SSO Protocols: Kerberos (symmetric, mutual auth, tickets), SESAME (adds asymmetric, PACs).

Access control models. Policies are enforced via models:

• Discretionary Access Control (DAC): Owner grants permissions (e.g., file permissions in UNIX/Windows).
• Mandatory Access Control
  [ERROR: Incomplete response]

Last updated: May 8, 2025