CISSP Domain 1 v3 Complete
CISSP Domain 1 v3 Complete
CISSP Domain 1 v3 Complete
Information
Systems
Security
CISSP ® Professional
Domain 1
(©) Copyright ThorTeaches 2018 -
1
Lamont Robertson – Security Evangelist!
Doctoral Candidate Manager of Information Security,
Cook County
M.A., M.S.
Chicago Public Schools
CISSP
IT / IS Consultant
CISM
Intelligence Community
CISA
U.S. Senate (IT Management)
CRISC
United States Military
Security+
*Many Others
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Class hours
(©) Copyright ThorTeaches 2018 -
3
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Shon Harris,
(©) Copyright ThorTeaches 2018 -
Pages 3-6 6
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Question:
We are using the CIA triad to, at a high level, explain IT
security to our board of directors. Which of these are the 3
legs of the CIA triad?
A. Confidentiality, Identity and Availability.
B. Identity, accountability and confidentiality.
C. Confidentiality, Integrity and Accountability.
D. Integrity, availability and confidentiality.
Question:
When an attacker is attacking our encryption, they are
MOSTLY targeting which leg of the CIA triad?
A. Availability.
B. Authentication.
C. Confidentiality.
D. Integrity.
Question:
Which would NOT be a factor to protect our
integrity?
A. Missing database injection protection.
C. Digital signatures.
D. Message digests.
Question:
Which of these would be COMMON attacks focused
on compromising our availability?
A. DDOS
B. All of these.
C. Social engineering.
D. Viruses.
Question:
Which of these would NOT be a factor we would consider to
protect our availability?
A. SLA’s.
B. Redundant hardware.
C. Patch management.
D. Non-redundant hardware.
Opposites of Confidentiality,
Integrity and Availability.
Finding the right mix of Confidentiality,
Integrity and Availability is a balancing
act.
This strategy largely depends on your
unique organization and business
strategy
Shon Harris,
(©) Copyright ThorTeaches 2018 -
Pages 3-6 8
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Question:
With the CIA triad in mind, when we choose to have too
much integrity, which other control will MOST LIKELY
suffer?
A. Availability.
B. Accountability.
C. Identity.
D. Confidentiality.
Question:
Looking at the CIA triad, when we have TOO MUCH
availability, which other controls can suffer?
A. Integrity.
B. Confidentiality.
D. Confidence.
Question:
The CIA triad is of the foundational pieces of IT Security. We
want to find the right mix of confidentiality, integrity and
availability and we want to ensure none of the legs are
compromised. Which of these is NOT one of the CIA triad
opposite?
A. Disclosure
B. Alteration
C. Aggregation
D. Destruction
Shon Harris,
(©) Copyright ThorTeaches 2018 -
Chapter 5 9
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
IAAA.
3. Authorization:
What are you allowed to access
Question:
Which of these could be something we use to help
us protect our data's confidentiality?
A. Multifactor authentication.
B. Redundant hardware.
C. Hashes.
D. Redundant software.
Question:
When authenticating against our access control systems,
you present your fingerprint. Which type of authentication
are you using?
A. A possession factor.
B. A knowledge factor.
C. A location factor.
D. A biometric factor.
Question:
Our organization is using least privilege in our user access
management. How are our users assigned privileges?
A. More privileges than they need for their day-to day job, so
they can perform certain tasks in an emergency.
B. Privileges at the on the data owners discretion.
C. Exactly the minimum feasible access for the user to
perform their job.
D. The same privileges as the rest of the group has.
Management.
How the objectives will be met (This is you).
(©) Copyright ThorTeaches 2018 -
13
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Question:
C. Middle management.
D. Senior management.
Question:
Who would determine the risk appetite of our
organization?
A. The IT leadership team.
B. Senior management.
C. Middle management.
D. The users.
Question:
If we are wanting to implement governance standard and
control frameworks focused on internal risk analysis, which
of these could we implement?
A. FRAP.
B. COBIT.
C. ITIL.
D. COSO.
Question:
Senior management is looking at the ISO27799 standard.
What is it focused around?
A. PICI-DSS
B. ITSM.
C. Risk management.
D. Protecting PHI.
Question:
We are in a court of law and the proof must be "beyond a
reasonable doubt", which type of court are we in?
A. Administrative court.
B. Probation court.
C. Criminal court.
D. Civil court.
Question:
As an IT Security professional, you are expected to perform your
due diligence. What does this mean?
A. Continue the security practices of your company.
Question:
We are in a court of law and we are presenting real
evidence. What constitutes real evidence?
A. Something you personally saw or witnessed.
B. Logs, audit trails and other data from the time of the attack.
Question:
Healthcare insurers, providers and clearing house agencies must
comply with HIPAA (Health Insurance Portability and Accountability
Act) if they operate in the United States. Which of these are rules they
MUST follow? (Select all that apply).
A. Privacy rule.
B. Encryption rule.
C. Disclosure rule.
D. Breach notification rule.
E. Security rule.
Acquisitions.
Divestures.
Ethics:
ISC2 Code of Ethics.
You agree to this before the exam, and the code of
ethics is very testable.
Ethics.
Computer Ethics Institute.
Ten Commandments of Computer Ethics.
http://computerethicsinstitute.org/images/thetenc
ommandmentsofcomputerethics.pdf
Ethics.
IAB's Ethics and the Internet.
Unauthorized access
Disrupts the intended use of the Internet
Wastes resources
Information Security
Governance.
Policies- Mandatory.
Standards- Mandatory.
Guidelines- non-Mandatory.
Procedures- Mandatory.
Baselines (Benchmarks) - non-
Mandatory.
(©) Copyright ThorTeaches 2018 -
Shon Harris, 8th Ed.
Page 166 41
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Question:
In our organization we have a lot of policies, procedures,
standards, and guidelines we use to make our decisions.
Which of them is non-mandatory?
A. Procedures.
B. Standards.
C. Guidelines.
D. Policies.
External threats
Internal threats {48-62%}
Employee actions
{38-52%}
or mistakes{24%}
External theft
Vendors {14%} {17%}
Can be both
Question:
You have been tasked with looking at PURELY physical
security controls for a new implementation. Which of
these would you consider using?
A. Biometric authentication.
B. Dogs.
C. Access lists.
D. Regulation.
Risk Analysis:
Qualitative Risk Analysis (Subjective)
Quantitative Risk Analysis (Can be measured objectively)
Threat (harmful incident)
Vulnerability (weakness)
Risk (Threat x Vulnerability)
Impact (for full picture)
Total Risk (Threat x Vulnerability x Asset Value)
Residual Risk (Total Risk- Countermeasures)
(©) Copyright ThorTeaches 2018 -
Shon Harris, 8th Ed.
Page 112 46
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Question:
In our risk analysis, we are looking at the risks,
vulnerabilities, and threats. Which type of risk analysis are
we using?
A. Quantitative risk analysis.
B. Cumulative risk analysis.
C. Qualitative risk analysis.
D. Quadratic risk analysis.
.
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Risk Analysis.
Qualitative Risk Analysis with
the Risk Analysis Matrix.
Pick an asset
How likely?
How bad if it happens?
Question:
If we are using a qualitative risk analysis approach, which
of these would we use?
A. Risk analysis matrix.
B. Asset value.
C. Exposure factor.
Risk Analysis.
Quantitative Risk Analysis.
This is where we put a number on security.
We find the asset's value.
Asset Value (AV)
Exposure factor (EF)
Single Loss Expectancy (SLE)- (AV x EF)
Annual Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
Total Cost of Ownership (TCO).
Question:
We are working on our risk management and we are
doing quantitative risk analysis. What does the ALE tell
us?
A. How many times it happens per year.
B. What will it increase per year if we do nothing.
C. What will it cost us per year if we do nothing.
D. How much percent of the asset is lost.
Risk Analysis.
Quantitative Risk Analysis.
Laptop- Theft/Loss (unencrypted) Value Data Center- Flooding Value
Asset Value (AV) $10,00 Asset Value (AV) $10,000,000
0
Exposure factor (EF) 15%
Exposure factor (EF) 100%
Single Loss Expectancy (SLE) - (AV x EF) $1,500,000
Single Loss Expectancy (SLE) - (AV x $10,00
EF) 0 Annual Rate of Occurrence (ARO) 0.25
Annual Rate of Occurrence (ARO) 25 Annualized Loss Expectancy (ALE) $375,000
Annualized Loss Expectancy (ALE) $250,00
0
Risk Analysis.
Quantitative Risk Analysis.
For the example let's use a 4-year tech refresh cycle.
Full disk encryption software and support= $75,000 initial and $5,000 per year.
Remote wipe capabilities for the laptop= $20,000 initial and $4,000 per year.
Staff for encryption and help desk= $25,000 per year
Doing nothing costs us $1,000,000 per tech refresh cycle ($250,000 per year).
Implementing full disk encryption and remote wipe will cost $231,000 per tech refresh cycle ($57,750 per year)
The laptop hardware is a 100% loss, regardless. What we are mitigating is the 25 x $9,000 = $225,000 by spending
$57,750.
This is our ROI (Return On Investment): TCO ($57,750) <ALE ($250,000). This makes fiscal sense, we should implement
Risk Analysis.
Types of risk responses.
Accept the Risk.
Mitigate the Risk (Reduction).
Transfer the Risk.
Risk Avoidance.
Risk Rejection. WRONG answer!
Secondary Risk.
This is area very testable, learn the formula, the risk responses
to differentiate Qualitative and Quantitative Risk.
Question:
We are looking at our risk responses. We are choosing to
ignore an identified risk. What type of response would that
be?
A. Risk rejection.
B. Risk mitigation.
C. Risk avoidance.
D. Risk transference.
Risk Analysis.
NIST 800-30 - United States National Institute of
Standards and Technology.
Risk Analysis.
NIST 800-30 - A 9-step process for Risk Management.
1. System Characterization.
2. Threat Identification.
3. Vulnerability Identification.
4. Control Analysis.
5. Likelihood Determination.
6. Impact Analysis.
7. Risk Determination.
8. Control Recommendations.
9. Results Documentation.
Risk Analysis.
Types of attackers.
Hackers.
Now
Original use
White Hat hackers (Ethical hackers)
Black Hat hackers
Gray/Grey Hat hackers
Script Kiddies.
(©) Copyright ThorTeaches 2018 -
Shon Harris, 8th Ed.
Page 49 54
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Risk Analysis.
Types of attackers.
Outsiders. (unauthorized)
Insiders. (authorized)
Risk Analysis.
Types of attackers.
Hacktivism/Hacktivist (hacker activist).
Hacking for political or socially motivated
purposes.
Governments.
State sponsored
(©) Copyright ThorTeaches 2018 -
56
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Risk Analysis.
Types of attackers.
Bots and botnets (short for
robot).
Botnets is a C&C (Command and
Control) network, controlled by
people (bot-herders).
(©) Copyright ThorTeaches 2018 -
Shon Harris, 8th Ed.
Page 48 57
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Risk Analysis.
Types of attackers.
Phishing, spear phishing and whale phishing
(Fisher spelled in hacker speak with Ph not F).
Phishing (Social engineering email attack).
Spear Phishing (Targeted phishing)
Whale Phishing (Whaling – senior leadership).
Vishing (Voice Phishing).
(©) Copyright ThorTeaches 2018 -
Shon Harris, 8th Ed.
Page 589 58
CISSP® - Certified Information Systems Security Professional
DOMAIN 1: Security, Risk, Compliance, Law, Regulations and Business Continuity.
Risk Analysis:
Slightly better Phishing but still easy to spot. Looking at the real email, it is even
easier.