CISSP | KEY POINTS +

Below are some keywords (not in any particular order) that IMHO are important concepts that you need to
understand for the exam (+ some good to know security stuff). You can find details on each of these topics by doing
simple online research. This is definitely not acomprehensive guide but rather a starting point. While you are
doing your preparation, create a similar keywords list for yourself.
These are my personal notes (and my own understanding of the different topics) which I have gathered from reading
through different resources. You are more than welcome to share these notes.

CIA Tried is the core principle behind Information Security. Everything else in Information Security are simply details which
always refer back to one or more of CIA principles.
Confidentiality: prevents disclosure.
Integrity: prevents alteration.
Availability: prevents destruction
Cryptography:
There are several Symmetric (same key, also known as secret key,) and Asymmetric (different keys, also known as public
key) algorithms that provide confidentiality from the CIA Tried perspective. The Symmetric algorithms that are needed for
the exam are:
2Fish
3DES
AES
BlowFish
CAST
DES
IDEA
Rajindael
RCx
Serpent

Asymmetric algorithms that provide confidentiality include:

Diffie Hellman provides key exchange, lacks authentication, was the first Asymmetric algorithm
El Gamal
Elliptic Curve
Knapsack
o DSS Digital Signature Standar
o DSA Digital Signature Algorithm
RSA

When your goal is to achieve confidentiality, you encrypt message with recipients public key. However, if you want to
maintain integrity, you encrypt message with your private key because your goal is authenticity and not confidentiality.
Symmetric + Integrity = Message Authentication Code (MAC)
Asymmetric + Integrity = Digital Signature
MAC: Four types:
1.
2.
3.
4.

Hash Function
Stream Cipher
Block Cipher
Unconditionally Secure

Stream Ciphers: Symmetric, fast, KeyStream, prefer on hardware implementation

Block Ciphers: Symmetric, fix length/fix block, suitable for software implementation
Key Terms:
Key Clustering: Occurs when two different keys generate the same cipher text from the same plaintext using the same
cipher algorithm.
Collision: When an algorithm produces the same hash values for two different messages
Pretty Good Protection (PGP): uses Symmetric encryption to encrypt and uses Asymmetricalgorithm to encrypt session
key and send it securely to the receiver. It is considered a Hybrid System. It also uses web of trust vs the Certificate
Authority. Other Hybrid systems include: SSL, PGP, IPSEC, S/MIME.
Kerberos: depend of Symmetric key. Key Distribution Center KDC: holds only private keys and NOT public.
Authentication Header: provides strong integrity, authentication and non-repudiation (cannot deny sending it).
X.509 Digital Certificate includes: Serial number, Signature algorithm identifier, Issuer name, Validity period, Subjects
name, Subjects public key.
Integrity Algorithm:
MD5, SHA, Message Digest, HAVAL, One Way HASH

Hashing: algorithms provide data integrity only. When a hash algorithm is applied to a message, it produces a Message
Digest and this value is signed with senders private key to produce Digital Signature.
Digital Signature: provides integrity with MD5 and/or SHA algorithm and accountability because of public/private key
pairs; provides integrity, authentication, and non-repudiation.
Access LifeCycle:

Identification (who you are)

Authentication (proving by something you know, something you have, something you are)
Authorization (read, write, execute)
Audit (logs)

Verification: identification Validation: Authentication

Certification: Technical evaluation of product.
Accreditation: Formal acceptance of risk.
Covert Timing Channel: Modulation; speed up or slow down something.
Covert Storage Channel: A process writes data to a storage location.
TOC/TOU: Time of check; time of use.
Steganography: Digital watermarks, least significant bit.
Digital Signature: Uses Asymmetric, a hash value that has been encrypted with a senders private key.
Known PlainText: plaintext and the encrypted version.
CipherText Only: Access to only CipherText.
Clipper Chip: Key Escrow, uses SkipJack algorithm.
HTTPS vs S-HTTP: HTTPS protects the entire communication channel. S-HTTP protects only each message
(application data) and not the communication channel.
Due Care: doing the right thing, performing the ongoing maintenance necessary to keep something in proper working
order. Opposite = negligence.
Due Diligence: Investigating, performing research before committing to a course of action. Opposite = haphazard; not
doing your homework.
Remote Journaling: Act of parallel processing transaction logs to an offsite facility.
Electronic Vaulting: Bulk, batch transfer of information.
Database Shadowing: Live process that duplicates transactions and the entire files from primary server to backup.

Degree = Columns Cardinality = Number of rows

Total Risk: Inherent risk, comprehensive.
Pseudo Flow: Loophole purposely added to operating system or application to trap intruders.
Enticement: Legal
Entrapment: Illegal
Residual Risk: Left over risk; usually after a countermeasure in place.
8 Steps of BIA Business Impact Analysis:
A.
B.
C.
D.
E.
F.
G.
H.

Select individuals to interview for data gathering.

Create data gathering techniques survey questions.
Identify the companys critical business functions.
Identify the resources these functions depend upon.
Calculate how long these functions can survive without these resources.
Identify vulnerabilities and threats to these functions.
Calculate the risk for each of these functions.
Document finding and report them to management.

Access Control:
Subjects sensitivity label must be equal to or greater than the objects sensitivity label in order for subject to have read
access to it. It would have to dominate the objects sensitivity label.
In order for a subject to have write access to an object, subjects sensitivity label must be dominated by the objects
sensitivity bale.
Identification: One to Many Authentication One to One
Mandatory Access Control: based on security labels which indicate clearance and classification of objects. Lattic
Based: type of MAC, least upper and greatest lower bounds.
Discretionary Access Control: Uses Access Control List, identify based, controlled access protection.Rights are
determined by many different entities, set by owner; identify-based.
Non-Discretionary: central authority determines access rights; role based.
Dedicated Security: Single state.
System High Security: Have the clearance and have the need to know.
Compartmented Security: Have the clearance but not the need to know.
Multilevel Security Mode: Controlled security mode; multiple state, mandatory.

Clark-Wilsion Model: Similar to a change control board in an organization. Well-formed transactions, prevents collusion
(working together to do something bad), constrained data items, integrity verification procedures, transformation
procedures. Access triples 3 rules:
1. Prevents unauthorized users from making modifications.
2. Prevents authorized users from making improper modifications.
3. Maintains internal and external consistency.
Take-Grant Model: consists of a set of states and state transactions. A directed graph shows the connections between
the nodes of the system. Theses nodes are representatives of the subjects or objects of the model.
Non-Interference: Users actions in one domain cannot affect with other users.Strictly separates differing security levels
to assure that higher level actions do not determine what lower level users can see.
Information Flow: Similar to Bell LaPadula, it controls how information may flow between objects based on security
classes. Information will be allowed to flow only in accordance with security policy.
Access Control Matrix Model: Straight forward approach provides access rights to subjects for objects, two
dimensional. Capability is in rows ACL column in the matrix. ACL is applied to objects Capability is applied to
subjects.
Brewer and Nash (Chinese Wall): Mathematical theory, dynamically changing, prevents conflict of interest and
fraudulent modifications.
Protection Domain: goal is to protect programs from all unauthorized modification or interference.
Security Perimeter: is the boundary that separates the trusted computing base from the remainder of the system.
Category Set = Compartment Set
Physical:
High Humidity: >60% = corrosion
Low Humidity: <40% = static electricity
Fire Classes:
A = Common combustibles
B = Liquids
C = Electrical
D = Metals
Soda Acid: suppresses fule supply of the fire
Carbon Dioxide: removes oxygen from the fire

Halon (FM-200 replacement): suppresses combustion by disrupting the chemical reactions

Fire protection for ceiling should be minimum of an hour and adjacent walls where purpose records are stored should be 2
hours. Fire extinguishers should be placed 50ft from electronics.
Fences: critical areas should have at-least 8ft with 3 strands of barbed wire. Lighting: 8ft high providing at least 2 foot
candles.
Occupant Emergency Plan: provides coordinated procedures for minimizing loss of life or injury and protecting damage
in response to a physical threat.
Recovery Time Objectives: amount of time allowed for the recovery of a business function. If RTO exceeds, then severe
damage to organizations occurs.
Recovery Point Objectives: point in time in which data must be restored in order to resume processing.
Inline UPS: Constantly provides power.
Standby UPS: Switches to battery power after outage.
Clean Power: No interference; no voltage fluctuation.
Positive Pressurization: Air goes out; in an event of a fire, smoke should go out.
Most Effective = Low CER Least Effective = High CER
Telecommunication:
A network topology defines the manner in which the network devices are organized to facilitate communications.
Common LAN technologies are:

Bus
Ring
Star
Meshed

LAN transmission methods refer to the way packets are sent on the network are:

Unicast
Multicast
Broadcast

LAN transmission protocols are the rules for communicating between computers on a LAN. Common LAN transmission
protocols are:

CSMA/CD
Polling
Token-Passing

LAN media access methods controls the use of a network (physical and data link layers). They can be:

Ethernet
ARCnet
Token Ring
FDDI

TCP: connection oriented UDP: connectionless

TCP/IP: is composed of 2 protocols: IP defines the rules for getting a packet from one point to another and TCP protocol
defines the rules for ensuring that data is received at the destination is accurate and in the correct sequence.
Password Authentication Protocol PAP: Passwords are send in cleartext; vulnerable to sniffing, MITM and replay
attacks.
Challenge Handshake Authentication Protocol CHAP: Users password is used to encrypt challenge value. Unlike
PAP, password is not sent over the wire.
Tunneling: is placed onto of encaspulation.
WTLS: Gap in the WAP translation to wire, short period sensitive data encryption.
WAN Technologies:

Circuit Switching (ISDN, POTS):

o Virtual connection acts like a dedicated link, connection oriented, digital and fix delays.
Packet Switching (X25, Frame Relay):
o First packet switching technology, permanent switched virtual circuit, committed information rate.
Cell Switching (ATM):
o 53-byte fixed cells, high bandwidth, switching, multiplexing.
o ATM Asynchronous Transfer Mode: is a cell switching technology, uses virtual circuits but unlike Frame
Relay it used fixed-size frames or cells, it can guarantee through out which makes ATM an excellent WAN
technology for voice and video conferencing.

Individual Packet of Ethernet is: Frame

Individual Packet of IP is: Datagram
Individual Packet of TCP is: Segment
Security Kernel: Made up of hardware, software, firmware.
Indirect Addressing: When the address location that is specified in the programs instruction contains the address of the
final desired location.
Direct Addressing: When a portion of primary memory is accessed by specifying the actual address of the memory
location.
SESAME: developed to address some of the weakness in Kerberos and used public key cryptography for the distribution
of secret keys and provides additional access control support.

IPSec: Internet Protocol Security usually used for VPN; secure channel 2 servers, 2 routers, a workstation and a server;
or 2 gateways between different networks. Two modes: Transport and Tunnel:
o
o

Transport Mode: Where the payload of the message is encrypted.

Tunnel Mode: Where the payload and the routing and the header information is all encrypted; uses public
key.

SSL Secure Socket Layer: developed by Netscape, public key.

SSL/TLS TLS is the successor of SSL. It adds more encryption & hashing options such as using two different hashing
methods to reduce the chance of hash collision. Relies on Public Key Infrastructure for encryption.
ISO has defined 5 basic tasks related to network management: fault management, configuration management, accounting
resources, performance management, security management.
RADIUS: SLIP, PPP, UDP, Dial-in user service, 3 modes: Accept, Reject, Challenge.
DIAMETER: next generation RADIUS, can be used on any modern devices: PDAs, laptops, cell phones, etc.
Software Development
Padded Cell: fill in the empty space with noise.
Data Definition Language (DDL): is used to create and destroy databases and database objects.
Data Manipulation Language (DML): is used to retrieve, insert and modify database information.
Data Control Language (DCL): defines the internal organization of the database.
Ad Hoc Query Language (QL): for users to make queries and access the data within the database.
Waterfall Model: Traditional model, completion of one tasks leads to start of another.
Prototyping: refines models/prototypes until acceptable which results of design and completion of the final version.
Spiral: combination of waterfall and prototyping.
Verification: ensures specifications are properly met Validation real world use, solves the problem.
Object Oriented Programming: Class Families; Object Specific set from family
Rational Database Management System (RDBMS): is a database management system in which data is stored in tables
and the relationships among the date are also stored in tables. The data can be accessed or reassembled in many
different ways without having to change the table forms.
Polymorphism: Character changing type of viurs.
Polyinstantiation: Creation of many instances/version of an object using different values of its variables to ensure that
lower level subjects do not access data at a higher classification; copy and repopulate.

Aggregation: Obtaining information of a higher sensitivity by combining information from low level sensitivity.
High Cohesive: Working independently; with little or no help.
Low Cohesive: Need help from others.
High Coupling: Measurements of interaction between objects.
Low Coupling: Less interaction; provides better software design.
Relational Database Model: Data structures called tables or relations, integrity rules on allowable values and value
combinations in the tables, operators on the data in the tables.
ACID:
o
o
o
o

Atomicity = All or none

Consistency = Does not breach the rules ; integrity constraints
Isolation = Not visible until transaction is complete
Durability = Transaction are permanent

Ingress Filtering: Do not allow packets in with internal source address.

Egress Filtering: Do not allow packets to leave with external source address.
M.O.M: Motivations, Opportunities, Means Why crimes are committed.
Controls:
o
o
o
o
o

Preventive: Concerned with avoiding occurrences of the risk

Deterrent: Concerned with discouraging violations
Detective: Identify occurrences
Corrective: Remedying circumstances and restoring controls
Compensative: Alternative controls used to compensate weakness in other controls

ISC2 Code of Ethics:

Preamble:

Safety of the commonwealth

Duty to our principals and to each other requires that we adhere, and be seen to adhere, to the
highest ethical standards of behavior
Therefore, strict adherence to this code is a condition of certification

Code of Ethics Canons:

Protect society, the commonwealth, and the infrastructure

Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principles
Advance and protect the profession

Response Time Frame:

o
o
o
o
o

Critical Minutes to Hours

Urgent 24 hours
Important 72 hours
Normal 7 Days
Non Essential 30 Days

Peril Policy: covers what is named included in the policy. Good choice for those whose business is located in an area
frequently hit by disasters.
All Risk/Comprehensive/Open Peril Policy: covers your business from damages caused by any type of disaster with the
exception of those specifically excluded in the policy.
SDLC:

Project initiation and planning

Functional requirements definition
System design specification
Development and implementation
Documentations and common program controls
Testing and evaluation control, certification and accreditation
Transition to production implementations
Operation and maintenance support
Revisions and system replacement

Backward Chaining: System backtracks to determine if a given hypothesis is correct

Forward Chaining: Acquires information and comes to conclusion based on that information. Used when there is a small
number of solutions relative to the number of inputs.
Active Attempts: alters the data or otherwise affects the flow
Passive Attempts: just observes the flow and gain knowledge of information that contains evidence (traffic analysis,
eavesdropping, shoulder surfing)
Legal:
Best Evidence: Original, primary evidence rather than a copy of duplicate of the evidence
Secondary: Copy of evidence, oral description of its contents; not as reliable as the best evidence
Direct: Proves or disproves a specific act through oral testimony based on information gathered through witnesss five
senses
Conclusive: Incontrovertible; overrides all other evidence
Opinions: Experts or Non-experts
Circumstantial: Factual knowledge of information from others, immediate, relevant facts

Corroborative: Supporting evidence used to help prove an idea or point; used as supplementary tool to help prove a
primary piece of evidence
Hearsay 3rd Party: Oral or written evidence that is presented in court that is second hand and no first hand proof of
accuracy or reliability. Usually not admissible in court; computer generated records
TEMPEST: U.S. government established program that addressed the problem of Radio Frequency Signals generated by
computers. This required shielding and other emanation, reducing mechanism to be employed
Output Control: for verifying the integrity and protecting the confidentiality of an output
System Reboot: performed after shutting down the system in a controlled manner in response to a TCB failure
Emergency System Reboot: is done after a system fails in an uncontrolled manner but consistency can be brought back
automatically to the system
System Cold Start: takes place when unexpected TCB or media failures take place and the recovery procedures cannot
bring the system to a consistent state. Intervention of administrative personnel is required to bring the system to a
consistent state from maintenance state/mode
Incremental BackUp: is the fastest on daily bases; only copies files that have been recently changed or added. Backups
addresses Integrity, Recovery, and Availability
Similar to Secure Shell, Secure Socket Layer (SSL) uses Symmetric encryption for encrypting the bulk of the data being
sent over the session and it uses Asymmetric or Public Key key cryptography for peer authentication
Transport layer sets up communication between computer systems; while the session layer sets up connections between
applications
Critical Survey: is implemented through a standard questionnaire to gather input form the most knowledgeable people
not all personnel that is going to be part of the recovery team
Spoofing Attack: when an attempt is made to gain access to a computer system by posing as an authorized user a
system
Spamming: refers to sending out or posting junk advertising and unsolicited mail
Smurf Attack: is a type of DoS attack using ping and spoofed address
Sniffing: refers to observing packets passing on a network
Multiprocessing: more than one CPU
Multitasking: simultaneous execution of 2 or more programs. Both launched but only one in running state
Multiprogramming: interleaved execution of two or more programs by CPU. Several programs run at the same time on a
uni-processor. Operating system executes part of one program, then part of another. To the user it appears that all
programs are executing at the same time
Ring 0: Operating System Kernel

Ring 1: Remaining parts of the Operating System

Ring 2: Input/Output drivers and utilities
Ring3 : Applications and prorgams
Business Resumption Planning: details the steps required to restore normal business operations after recovery from a
disruptive event
Business Continuity Planning: develops a long-term plan to ensure the continuity of business operations
Continuity of Operations: describes the procedures required to maintain operations during a disaster
Occupant Emergency Plan: provides the response procedures for occupants of a facility in the event a situation poses a
threat to the health and safety of personnel environment or property
Recovery Point Objective: moment in time at which data must be recovered and made available to users in order to
resume business operations
Recovery Time Objective: the time it takes to bring a failed system back online
Trusted Computing Base: total combination of protection mechanisms within a computer system: software, firmware,
hardware
Common Attacks (not original content):
Types:

Information Leakage: OS/Server/Database fingerprinting, usernames, passwords.

Configuration: Misconfiguration/insecure configuration of apps, OS, system, etc.
Bypass: Authentication, authorization, file control, front end (can access backend systems directly).
Injection: Command injection, code injection SQL injection (SQLi), Blind SQLi, Cross Site Scripting (XSS), HTTP
response splitting, Cross Site Request Forgery (CSRF).
Directory Traversal
File Inclusion
Username Harvesting: by collecting valid usernames you only need to guess the passwords which results in
increase in the probability of a successful guess and reduces the overall time.

Cross Site Scripting CSS/XSS: Application layer (

o
o

Also known as script injection.

Leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content
from an end-user and collect same type of data from the victim. Source Ref.
In a typical XSS attacker, the attacker infects a legitimate webpage with his malicious client-side
script. When a user visits this web page the script is downloaded to his browser and executes.
Source Ref.
Two types:
Persistent
Reflective

SQL Injection (SQLi): a subset of the unverified and unsanitized user input vulnerability. SourceRef.
o

Two types: normal also known as in-band and Blind SQLi.

Blind SQLi is similar to normal SQLi the primary difference being that error messages are not
displayed back from the target system.

Directory Traversal (directory climbing, backtracking): form of HTTP exploit in which a hacker uses the software on a
Web server to access data in a directory other than the servers root directory. If the attempt is successful, the hacker can
view restricted files or even execute commands on the server. It is commonly performed using Web browsers. Any server
in which input data from Web browser is not validated is vulnerable to this type of attack. Source Ref.
Cross-Site Request Forgery: Basically, an attacker will use CSRF to trick a victim into accessing a website or clicking a
URL link that contains malicious or unauthorized requests.
Watering Hole: threat actors compromise a carefully selected website by inserting an exploit resulting in malware
infection
False Positives (vulnerability scanning): when vulnerability is identified by the scanner but in actuality does not exist.
False Negatives (vulnerability scanning): scanner does not identify vulnerabilities that in fact exist in the environment.
HTTP Methods

GET

The GET method is used to retrieve information from the given server
using a given URI. Requests using GET should only retrieve data and
should have no other effect on the data.

HEAD

Same as GET, but only transfer the status line and header section.

POST

A POST request is used to send data to the server, for example

customer information, file upload etc using HTML forms.

PUT

Replace all current representations of the target resource with the

uploaded content.

DELETE

Remove all current representations of the target resource given by

URI.

CONNECT

Establish a tunnel to the server identified by a given URI.

OPTIONS

Describe the communication options for the target resource.

TRACE

Perform a message loop-back test along the path to the target

resource.

DNS (Domain Name Services): Holds mapping of IP addresses with website names. When you attempt to access a
website, your system first checks if the name to IP address mapping is cached in your browser (from a previous visit). If
not, the next place it will check will be your systems local cache. If it does not find it there, then it will reach out to your ISP
DNS server. If the mapping information is not there either, then the ISP DNS server will reach out to authoritative
nameserver of your request.
Common DNS Records:
o
o
o
o
o
o
o
o
o

A Points to a hosts IP address

MX Points to domains mail server
NS Points to hosts name server
CNAME Canonical naming allows aliases to a host
SOA Indicate authority for domain
SRV Service records
PTR Maps IP address to a hostname
RP Responsible person
HINFO Host information record includes CPU and OS type

Packet Flags:
o
o
o
o
o
o

URG Urgent: It states that the data contained in the packet should be processed immediately.
ACK Acknowledge: Used to acknowledge the receipt of a packet.
PSH Push: Used to instruct the sending system to send all buffered data immediately.
SYN Synchronize: Used to initiate a connection between hosts.
FIN Finish: It tells the remote system that there will be no more transmission.
RST Reset: Used to reset a connection.

Spot Base64: [A-Z, a-z, 0-9, and + /] If needed [=] used for padding.
Spot MD5 : [a-f, 0-9] total of 32 characters