CISSP Domain 1 v3 Complete

Certified
Information
Systems
Security
CISSP ® Professional
Domain 1
(©) Copyright ThorTeaches 2018 -
1
Lamont Robertson – Security Evangelist!
 Doctoral Candidate  Manager of Information Security,
Cook County
 M.A., M.S.
 Chicago Public Schools
 CISSP
 IT / IS Consultant
 CISM
 Intelligence Community
 CISA
 U.S. Senate (IT Management)
 CRISC
 United States Military
 Security+
 *Many Others
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
 That was a little about me …
 Please introduce yourself:

 Name, IT security experience, other work
 Class hours
3
Welcome to the first CBK Domain.
 This chapter is VERY important.

 This domain is very testable.
 IT Security should be based on a cost benefit
analysis.
 We want EXACTLY enough security and base it on
the ROI from the cost benefit analysis.
4
Security, Risk, Compliance, Law, Regulations,

and Business Continuity.
 Think of these concepts as your organizational strategic goals.
 Without Security, Risk, Compliance, Law, Regulations, and

Business Continuity, Information Security Professionals are
working in a vacuum.

5
Confidentiality, Integrity and

Availability.
 The CIA Triad (AIC).
 Confidentiality.
 Integrity.
 Availability.
Shon Harris,
Pages 3-6 6
Question:
 We are using the CIA triad to, at a high level, explain IT
security to our board of directors. Which of these are the 3
legs of the CIA triad?
A. Confidentiality, Identity and Availability.
B. Identity, accountability and confidentiality.
C. Confidentiality, Integrity and Accountability.
D. Integrity, availability and confidentiality.


Availability.
We use:
Encryption
Secure transport protocols for data in motion
Best practices for data in use
Threats to Confidentiality:
Attacks on your encryption
Social engineering
Key loggers, cameras, Steganography
lOT (Internet Of Things)

5
Question:
 When an attacker is attacking our encryption, they are
MOSTLY targeting which leg of the CIA triad?
A. Availability.
B. Authentication.
C. Confidentiality.
D. Integrity.


Availability.
 System integrity and Data integrity.
We use:
Cryptography.
Check sums.
Message Digests also known as a hash.
Digital Signatures.
Access control.
Threats:
Alterations of our data.
Code injections.
Attacks on your encryption.
6
Question:
 Which would NOT be a factor to protect our
integrity?
A. Missing database injection protection.
B. Database injection protection through input validation.
C. Digital signatures.
D. Message digests.


Availability.
 Data availability.
We use:
 IPS/IDS.
 Patch Management.
 Redundancy.
Threats:
 Malicious attacks.
 Application failures.
 Component failure.

7
Question:
 Which of these would be COMMON attacks focused
on compromising our availability?
A. DDOS
B. All of these.
C. Social engineering.
D. Viruses.

Question:
 Which of these would NOT be a factor we would consider to
protect our availability?
A. SLA’s.
B. Redundant hardware.
C. Patch management.
D. Non-redundant hardware.

Opposites of Confidentiality,
Integrity and Availability.
 Finding the right mix of Confidentiality,
Integrity and Availability is a balancing
act.
 This strategy largely depends on your
unique organization and business
strategy
Shon Harris,
Pages 3-6 8
Question:
 With the CIA triad in mind, when we choose to have too
much integrity, which other control will MOST LIKELY
suffer?
A. Availability.
B. Accountability.
C. Identity.
D. Confidentiality.

Question:
 Looking at the CIA triad, when we have TOO MUCH
availability, which other controls can suffer?
A. Integrity.
B. Confidentiality.
C. Confidentiality and integrity.
D. Confidence.

Question:
 The CIA triad is of the foundational pieces of IT Security. We
want to find the right mix of confidentiality, integrity and
availability and we want to ensure none of the legs are
compromised. Which of these is NOT one of the CIA triad
opposite?
A. Disclosure
B. Alteration
C. Aggregation
D. Destruction

IAAA (Identification and

Authentication, Authorization and
Accountability).
1. Identification.
2. Authentication.
Something you know - Type 1 Authentication.
Something you have - Type 2 Authentication.
Something you are - Type 3 Authentication.
Somewhere you are - Type 4 Authentication.
Something you do - Type 5 Authentication.
Shon Harris,
Chapter 5 9
IAAA.
3. Authorization:
What are you allowed to access
4. Accountability (also often

referred to as Auditing):
Trace an Action to a Subjects
Identity
10
Question:
 Which of these could be something we use to help
us protect our data's confidentiality?
A. Multifactor authentication.
B. Redundant hardware.
C. Hashes.
D. Redundant software.

Question:
 When authenticating against our access control systems,
you present your fingerprint. Which type of authentication
are you using?
A. A possession factor.
B. A knowledge factor.
C. A location factor.
D. A biometric factor.

Security governance principles.

 Least Privilege and Need to know.
 Non-repudiation.
 Subject and Object.

Shon Harris, 8th Ed.
Page 163 11
Question:
 Our organization is using least privilege in our user access
management. How are our users assigned privileges?
A. More privileges than they need for their day-to day job, so
they can perform certain tasks in an emergency.
B. Privileges at the on the data owners discretion.
C. Exactly the minimum feasible access for the user to
perform their job.
D. The same privileges as the rest of the group has.

IT Security is there to Support the

organization.
 We are there to enable the organization to fulfill the
mission statement and the business goals.
 We are not the most important part of the organization
 We are Security leaders and Business leaders

12
 Governance vs. Management video:

https://www.cybrary.it/video/part-8-governance-vs-management/


 Governance vs. Management.
 Governance.
 C-level Executives who set the strategic
goals (Not you).
 Management.
 How the objectives will be met (This is you).
13

 Top-down vs. Bottom-Up Security Management
and Organization structure.
 C-level Executives (Senior leadership)- Ultimately
liable.

14
Question:
 During a security breach, one of our honeypots was used for a

downstream attack on a rival business. The competitor lost over
$200,000 in revenue from the attack. Who is ULTIMATELY liable?
A. Whomever deployed the honeypot.
B. The IT security team.
C. Middle management.
D. Senior management.

Question:
 Who would determine the risk appetite of our
organization?
A. The IT leadership team.
B. Senior management.
C. Middle management.
D. The users.


 Governance standards and control frameworks.
 PCI-DSS
 COBIT
 COSO
 ITIL
 FRAP

Page 15 15
Question:
 If we are wanting to implement governance standard and
control frameworks focused on internal risk analysis, which
of these could we implement?
A. FRAP.
B. COBIT.
C. ITIL.
D. COSO.


 Governance standards and control frameworks.
 ISO 27000 series.
ISO 27001: Establish, implement, control and improvement of the ISMS.
ISO 27002: (From BS 7799, 1/2,ISO 17799) Provides practical advice
on how to implement security controls.
ISO 27004: Provides metrics for measuring the success of your ISMS.
ISO 27005: Standards based approach to risk management.
ISO 27799: Directives on how to protect PHI (Personal Health
Information).

16
Question:
 Senior management is looking at the ISO27799 standard.
What is it focused around?
A. PICI-DSS
B. ITSM.
C. Risk management.
D. Protecting PHI.


 Defense in Depth.
 No single security control secures an asset.
We implement multiple overlapping security
controls to protect an asset.
This applies both to physical and logical
controls.
No single security control secures an
asset.
Page 9-10 17
 Specific laws video:

 https://www.cybrary.it/video/part-13-specific-laws/

Legal and regulatory issues.

There are 4 types of laws.
 Criminal law.
 Civil law (Tort law).
 Administrative law (Regulatory law).
 Private Regulations.

Page 45 18
Question:
 We are in a court of law and the proof must be "beyond a
reasonable doubt", which type of court are we in?
A. Administrative court.
B. Probation court.
C. Criminal court.
D. Civil court.


 Liability.
 Due Diligence and Due Care.
 Negligence.

Page 148 19
Question:
 As an IT Security professional, you are expected to perform your
due diligence. What does this mean?
A. Continue the security practices of your company.
B. Researching and acquiring the knowledge to do your job right.
C. Do what is right in the situation and your job. Act on the

knowledge.
D. Apply patches annually.


 Evidence.
 How you obtain and handle evidence is VERY important.
 Types of evidence.
 Real Evidence.
 Direct Evidence.
 Circumstantial Evidence.
 Collaborative Evidence.
 Hearsay.
Page 163 20
Question:
 We are in a court of law and we are presenting real
evidence. What constitutes real evidence?
A. Something you personally saw or witnessed.
B. Logs, audit trails and other data from the time of the attack.
C. The data on our hard drives.
D. Tangible and physical objects.


 Evidence.
 Best Evidence Rule.
 Secondary Evidence.
 Evidence Integrity.
 Chain of Custody.

Page 1012 21

 Reasonable Searches.
 Fourth Amendment to the United States Constitution
protects citizens from unreasonable search and
seizure by the government.
 Legally obtained?
 Exigent circumstances
 Notifications
Page 148 22

 Entrapment and Enticement.
 Entrapment (Illegal and unethical).
 Enticement (Legal and ethical).
 If there is a gray area in some cases between
Entrapment and Enticement and it is ultimately up to the
jury to decide if it was one or the other.
 Make sure that you are using warning banners even
when deploying honeypots for legal compliance.
23

Intellectual Property.
 Copyright©.
 Trademarks ™ and ® (Registered Trademark).
 Patents.
 Trade Secrets.
 These concepts can be confusing, but you will see

them on the CISSP Exam!

24

Attacks on Intellectual Property.
 Copyright.
 Trademarks.
 Patents.
 Trade Secrets.
 Cyber Squatting.
 Typo Squatting.
25

Privacy.
 You as a citizen and consumer have the right that your
Personally Identifiable Information (PII) is being kept
securely.
 US privacy regulation - a patchwork of laws
 EU Law- Very pro-privacy

Page 53 26

Rules, Regulations and laws you should know for the
exam (US).
 HIPAA
Health Insurance Portability and Accountability Act.
 Security Breach Notification laws.

NOT Federal,48 states have individual laws, know the
one for your state (none in Alabama and South Dakota).

Page 71 27
Question:
 Healthcare insurers, providers and clearing house agencies must
comply with HIPAA (Health Insurance Portability and Accountability
Act) if they operate in the United States. Which of these are rules they
MUST follow? (Select all that apply).
A. Privacy rule.
B. Encryption rule.
C. Disclosure rule.
D. Breach notification rule.
E. Security rule.


exam (US).
 Electronic Communications Privacy Act (ECPA).
 PATRIOT Act of 2001.
 Computer Fraud and Abuse Act (CFAA)- Title 18
Section 1030.

Page 77 28

exam (US).
 Gramm–Leach–Bliley Act (GLBA).
 Sarbanes-Oxley Act of 2002 (SOX).
 Payment Card Industry Data Security Standard
(PCI-DSS).

Page 71 29

Rules, Regulations and laws you should know for the exam
(EU):
 General Data Protection Regulation (EU) 2016/679 ("GDPR")
 Very aggressive pro-privacy law.
Notify individuals
Allow for opt-out
Opt-in is required
No transmission out of EU

30

Organization for Economic Cooperation and
Development (OECD) Privacy Guidelines
(International).
 30 member nations from around the world, including
the U.S.
 OECD Guidelines on the Protection of Privacy and
Transborder Flow's of Personal Data, issued in 1980.

Page 54 31

Organization for Economic Cooperation and Development (OECD).
Privacy Guidelines (International).
 Eight driving principles:
1. Collection limitation principle
2. Data quality principle
3. Purpose specification principle
4. Use limitation Principle

32

Organization for Economic Cooperation and Development (OECD).
Privacy Guidelines (International).
 Eight driving principles (continued).
5. Security safeguards principle
6. Openness Principle
7. Individual participation principle
8. Accountability principle

33

Wassenaar Arrangement .
 Export/Import controls
 41countries are a part of the arrangement
 Cryptography is considered "Dual-Use"
 Orgs should know what is permitted to import/export
from and to a certain country

Page 56 34

 The Arrangement covers 10 Categories:
1. Special materials and related equipment,
2. Materials processing,
3. Electronics,
4. Computers,

35

 The Arrangement covers 10 Categories:
5.1 Telecommunications,
5.2 "Information security",
6. Sensors and "Lasers",
7. Navigation and avionics,
8. Marine,
9. Aerospace and propulsion.

36

3rd party, Acquisitions and Divesture security.
 Procurement from 3rd party.
 Acquisitions.
 Divestures.

37
Ethics:
 ISC2 Code of Ethics.
 You agree to this before the exam, and the code of
ethics is very testable.
 Code of Ethics Preamble.
 Code of Ethics Canons.

Page 172 38
Ethics.
 Computer Ethics Institute.
 Ten Commandments of Computer Ethics.
 http://computerethicsinstitute.org/images/thetenc
ommandmentsofcomputerethics.pdf

39
Ethics.
 IAB's Ethics and the Internet.
 Unauthorized access
 Disrupts the intended use of the Internet
 Wastes resources
 Your Organization's Ethics.

Page 174 40
Information Security
Governance.
 Policies- Mandatory.
 Standards- Mandatory.
 Guidelines- non-Mandatory.
 Procedures- Mandatory.
 Baselines (Benchmarks) - non-
Mandatory.
Page 166 41
Question:
 In our organization we have a lot of policies, procedures,
standards, and guidelines we use to make our decisions.
Which of them is non-mandatory?
A. Procedures.
B. Standards.
C. Guidelines.
D. Policies.

Information Security Governance.

 Insider threats pose the largest security risk.
 Awareness.
 Training.
 Hiring Practices.
 Employee Termination Practices.
 Vendors, Consultants and Contractor Security.
 Outsourcing and Offshoring.

42
Examples of Insider Threats – Malicious & Unintended

Lost or improper
Disposal {6%}
Phishing, hacking and

malware {31%}
Internal theft {8%}
External threats
Internal threats {48-62%}
Employee actions
{38-52%}
or mistakes{24%}
External theft
Vendors {14%} {17%}
Can be both

Page 98-99 43
Access Control Defensive Categories and

Types.
 Access Control Categories.
 Administrative (Directive) Controls.
 Technical Controls.
 Physical Controls.

Page 6 44
Question:
 You have been tasked with looking at PURELY physical
security controls for a new implementation. Which of
these would you consider using?
A. Biometric authentication.
B. Dogs.
C. Access lists.
D. Regulation.

Access Control Defensive Categories and Types.

 Access Control Types.
 Preventative - Prevents action from happening.
 Detective - Controls that Detect during or after an attack.
 Corrective- Controls that Correct an attack.
 Recovery - Controls that help us Recover after an attack.
 Deterrent - Controls that Deter an attack.
 Compensating - Controls that Compensate.
 YOU MUST KNOW THESE CONCEPTS!

Page 226 45
Risk Analysis Video:

https://www.cybrary.it/video/part-6-risk-analysis/

Risk Analysis:
 Qualitative Risk Analysis (Subjective)
 Quantitative Risk Analysis (Can be measured objectively)
 Threat (harmful incident)
 Vulnerability (weakness)
 Risk (Threat x Vulnerability)
 Impact (for full picture)
 Total Risk (Threat x Vulnerability x Asset Value)
 Residual Risk (Total Risk- Countermeasures)
Page 112 46
Question:
 In our risk analysis, we are looking at the risks,
vulnerabilities, and threats. Which type of risk analysis are
we using?
A. Quantitative risk analysis.
B. Cumulative risk analysis.
C. Qualitative risk analysis.
D. Quadratic risk analysis.

.
Risk Analysis.
 Qualitative Risk Analysis with
the Risk Analysis Matrix.
 Pick an asset
 How likely?
 How bad if it happens?

47
Question:
 If we are using a qualitative risk analysis approach, which
of these would we use?
A. Risk analysis matrix.
B. Asset value.
C. Exposure factor.
D. Cost per incident.

Risk Analysis.
 Quantitative Risk Analysis.
 This is where we put a number on security.
 We find the asset's value.
Asset Value (AV)
Exposure factor (EF)
Single Loss Expectancy (SLE)- (AV x EF)
Annual Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
 Total Cost of Ownership (TCO).

Page 113 48
Question:
 We are working on our risk management and we are
doing quantitative risk analysis. What does the ALE tell
us?
A. How many times it happens per year.
B. What will it increase per year if we do nothing.
C. What will it cost us per year if we do nothing.
D. How much percent of the asset is lost.

 Risk Analysis.
Quantitative Risk Analysis.
Laptop- Theft/Loss (unencrypted) Value Data Center- Flooding Value
Asset Value (AV) $10,00 Asset Value (AV) $10,000,000
0
Exposure factor (EF) 15%
Exposure factor (EF) 100%
Single Loss Expectancy (SLE) - (AV x EF) $1,500,000
Single Loss Expectancy (SLE) - (AV x $10,00
EF) 0 Annual Rate of Occurrence (ARO) 0.25
Annual Rate of Occurrence (ARO) 25 Annualized Loss Expectancy (ALE) $375,000
Annualized Loss Expectancy (ALE) $250,00
0
(©) Copyright ThorTeaches 2018 - NIST 800-30

49
Risk Analysis.
Quantitative Risk Analysis.
For the example let's use a 4-year tech refresh cycle.
 Full disk encryption software and support= $75,000 initial and $5,000 per year.
 Remote wipe capabilities for the laptop= $20,000 initial and $4,000 per year.
 Staff for encryption and help desk= $25,000 per year
Doing nothing costs us $1,000,000 per tech refresh cycle ($250,000 per year).
Implementing full disk encryption and remote wipe will cost $231,000 per tech refresh cycle ($57,750 per year)
The laptop hardware is a 100% loss, regardless. What we are mitigating is the 25 x $9,000 = $225,000 by spending
$57,750.
This is our ROI (Return On Investment): TCO ($57,750) <ALE ($250,000). This makes fiscal sense, we should implement

50
Risk Analysis.
 Types of risk responses.
 Accept the Risk.
 Mitigate the Risk (Reduction).
 Transfer the Risk.
 Risk Avoidance.
 Risk Rejection. WRONG answer!
 Secondary Risk.
 This is area very testable, learn the formula, the risk responses
to differentiate Qualitative and Quantitative Risk.

51
Question:
 We are looking at our risk responses. We are choosing to
ignore an identified risk. What type of response would that
be?
A. Risk rejection.
B. Risk mitigation.
C. Risk avoidance.
D. Risk transference.

Risk Analysis.
NIST 800-30 - United States National Institute of
Standards and Technology.

52
Risk Analysis.
NIST 800-30 - A 9-step process for Risk Management.
1. System Characterization.
2. Threat Identification.
3. Vulnerability Identification.
4. Control Analysis.
5. Likelihood Determination.
6. Impact Analysis.
7. Risk Determination.
8. Control Recommendations.
9. Results Documentation.

53
Risk Analysis.
 Types of attackers.
 Hackers.
Now
Original use
White Hat hackers (Ethical hackers)
Black Hat hackers
Gray/Grey Hat hackers
 Script Kiddies.
Page 49 54
Risk Analysis.
Types of attackers.
 Outsiders. (unauthorized)
 Insiders. (authorized)

55
Risk Analysis.
Types of attackers.
 Hacktivism/Hacktivist (hacker activist).
 Hacking for political or socially motivated
purposes.
 Governments.
 State sponsored
56
Risk Analysis.
Types of attackers.
 Bots and botnets (short for
robot).
 Botnets is a C&C (Command and
Control) network, controlled by
people (bot-herders).
Page 48 57
Risk Analysis.
Types of attackers.
 Phishing, spear phishing and whale phishing
(Fisher spelled in hacker speak with Ph not F).
 Phishing (Social engineering email attack).
 Spear Phishing (Targeted phishing)
 Whale Phishing (Whaling – senior leadership).
 Vishing (Voice Phishing).
Page 589 58

59
Risk Analysis:
Slightly better Phishing but still easy to spot. Looking at the real email, it is even
easier.

60
What we covered in the first CBK Domain.

 Governance Risk & Compliance (GRC) has been covered to get you to
think about strategic objectives and initiatives.
 You have been introduced to various Security Frameworks and principles

that will be tested when you sit for the CISSP exam.
 Consider Domain 1 as the foundation to your success!

61
More practice questions:

https://www.udemy.com/cissp-domain-1-2/learn/v4/content

CISSP Domain 1 v3 Complete

Uploaded by

Copyright:

Available Formats

CISSP Domain 1 v3 Complete

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP Domain 1 v3 Complete

Uploaded by

Copyright:

Available Formats

Certified

 That was a little about me …

 Please introduce yourself:

Welcome to the first CBK Domain.

 This chapter is VERY important.

Security, Risk, Compliance, Law, Regulations,

 Without Security, Risk, Compliance, Law, Regulations, and

(©) Copyright ThorTeaches 2018 -

Confidentiality, Integrity and

(©) Copyright ThorTeaches 2018 -

Confidentiality, Integrity and

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

Confidentiality, Integrity and

B. Database injection protection through input validation.

(©) Copyright ThorTeaches 2018 -

Confidentiality, Integrity and

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

C. Confidentiality and integrity.

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

IAAA (Identification and

4. Accountability (also often

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

Security governance principles.

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

IT Security is there to Support the

(©) Copyright ThorTeaches 2018 -

 Governance vs. Management video:

(©) Copyright ThorTeaches 2018 -

Security governance principles.

Security governance principles.

(©) Copyright ThorTeaches 2018 -

 During a security breach, one of our honeypots was used for a

A. Whomever deployed the honeypot.

B. The IT security team.

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

Security governance principles.

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

Security governance principles.

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

Security governance principles.

 Specific laws video:

(©) Copyright ThorTeaches 2018 -

Legal and regulatory issues.

(©) Copyright ThorTeaches 2018 -

(©) Copyright ThorTeaches 2018 -

Legal and regulatory issues.

(©) Copyright ThorTeaches 2018 -

B. Researching and acquiring the knowledge to do your job right.

C. Do what is right in the situation and your job. Act on the