CISSP MEMORY
Somethings are funny lies to aid in memory. For example RSA doesn’t really mean Real
Signature Algorithm. Somethings may be crass or rude. Good. That might help you
remember. Somethings only makes sense to me- make your own up. Add to the
AIDS document with your own. A few are stolen here and there. Thanks to Kelly Handerhan
for the Symmetrical Algo Trick. Thanks to Eric Conrad for other examples by Eric
Conrad. -JS
RAID: malformed packets…. Turnstiles CAN stop 1500 Super
“RAID 0 – Striping” (say it altogether), 0 Redundancy | Mutants (Malformed Humans).
Bl0ck LAWS:
RAID 1 – Mirroring. Picture the 1 is a girl in mirror. Due Care v Due Diligence: Think of a Doctors
RAID 5 – 5trip1ng. Striping with 1 in it (get it?) Standard of Care. That is the care. Diligence is the
Any Raid above 1 gets parity. Doctors action on you. Due Care is
3- byte stripe parity then 4 block stripe parity Research/knowledge. Diligence is the actions. Docs act
6 is just 5 with redundant parity stripes diligently.
Asymmetric Algorithms: HIPPA sounds like HEP A (medical protection law)
1. RSA DSA (SA Brothers) HITECH Hi-Tech Breaching cyborgs attacking covered
2. ECC El Gamal (E E) associates of HIPPA.
3. Diffie Hellman Knapsack (Guy named Diffie and his $OX: Enron… ’02 shit got real. Publically traded
Knapsack) companies: Adequate Financial Disclosure, Independent
The Rest are Symmetrical….. and Hashes… a Good Start.
Auditors, Internal Security Controls (CI$$P Jobs).
Symmetric: A FISH named DES had an IDEA on how
Intentional Violators are Criminals
to make RC4 and AES SAFER.
GLBA (The HIPPA of Financial Institutions) C&I of
HASHES: A bunch MD’s hanging out with SHA’s
customer data. Breach Notifications.
HAVAL the RIPEmd TIGERs. Think crazy party with Docs,
Sha’s having all the stinky tigers. SB1386: Breach Notification. Breach BEACH (California)
Default Answer for modern Crypto: AES (it’s used CFAA: As amended Catch All for cyber-crime. 10
everywhere). computers damaged is a Felony.
Digital Signatures: RSA [Real Signature Algorithm] ECPA: No Wiretaps and shit…. All in the name
ENTICEME V ENTRAPMENT Electronic Communications….
NT S PATRIOT ACT: Not so Patriotic Reduction to restrictions in
Tempting V Tricking ‘em surveillance.
‘em S PCI-DSS: Piece a Diss? Piece a Diss shit aint no law…
Legal V Illegal Pay me.
S EU Safe Harbor: USA Companies need only
Streaming Ciphers associated with Feedback:
volunteer… Volunteers to fight in Europe.
Never pee into the wind. Streams feeding back into CMM- “Erd-MO” IRDMO. Initial, Repeatable, Defined,
your face.
Managed, Optimizing.
RC4 IS ONLY STREAM Forensic Evidence Steps: IP CEA PD (Internet | CEA |
Twofish: 128 bits – 2x 64 bit fish. 2 Fish uses 2 Fish. A Police Department)
post-whitening fish and a pre-whitening fish. 1. Identify Look around
Caesar Cipher: Caes3R. 3R = 3 to the right. 2. Preserve Don’t Step in that!
3. Collect Now Pick it up footprint free
Diffie-Hellman and Mr. El Gamal are sneaky poopers- 4. Examine What do we have here
they drop DISCRETE LOGS. Discrete Logarithmic 5. Analyze Take a closer look
ciphers. 6. Presentation See? Look what I found!
7. Decision Well? What do you think? [jury]
WEP: Pronounced WEEP- because the creators weep
Evidence Types:
over how insecure it is….
Direct Witnesses to the Secondary expert witness was my
WPA: TKIP T for Temporary fix on the way to WPA2 cops 2nd choice
WP2: AES (Default- it isn’t TKIP) and CCMP (a lot like Real Knives Corroborative back up
CCCP Russians. Finally keeping the Russians Out). Best Contract ever! Circumstantial proves another
FIREWALLS: Layer 7 Application Firewalls. Application fact
Proxies. Level 7 Humans can make decisions. Control Code of Ethics Canons: Night and Day.
Active Directory. Certificates. Certifably Human. First 2 Canons are at night… Super Hero Status…
Layer 5 Firewalls. Short Circuit- Johnny 5. Circuit Protecting Society and acting honorably… Jedi
Firewalls can monitor TCP Handshakes- Robot shaking Second 2 Canons are Provide and Advance… You are a
hands. techie by day. You must follow the canons in order…
5tateful Firewall5. Just like Johnny 5 they are alive. Not Night and Day (order). On the test answer ethical
quite lvl 7 humans. 5’s are 5tateful and Circuit Level. questions by order of the canons! And in real practice.
Johnny 5 was an anomaly. [Read the following in Robocop’s voice – Prime Directives…it helps]
Layer 3. Static Pack3t. Static. They are dumb 1. Protect society, the commonwealth and the infrastructure
turnstiles. Locked or unlocked. All or nothing. All or No 2. Act honorably, honestly, justly, responsibly, and legally
TCP, DNS. Turnstil3s can’t stop virus because they are 3. Provide diligent and competent service to principals
yuck (NYC Subway Turnstile). They CAN stop 4. Advance and protect the profession
Policies: Mandatory High Level = Presidential.
Program Policy Establishes Information Qualitative Analysis
8. Control TCO, ALE and ROI oh
Security Program my!
Policies have an owl! Recommendations
Policies- Why? Who Who What? Like an owl 9. Results Document your
asking: Why? Who who what? Purpose – Why Documentation work
This shit was retired in 2012. But Conrad says to know it?
| Scope – Who this covers | Responsibilities – WTF
Who does what | Compliance – What Just rote the 9 steps if you feel you have time. DON’T
happens when you don’t comply ROTE MEMORIZE THIS.
1. Purpose - Why TCP/IP Model: 3-1-1-2 | 3 layers combined, 1
2. Scope - Who
3. Responsibilities- Who lyr, 1 lyr, 2 combined
4. Compliance- What
Only Discretionary Policies: Guidelines and
Baselines you don’t have to wait in line. You’ll Application
3 Presentatio Application
probably need management sign off to veer n
from Baselines. Session
Risk Analysis: The Threat of a Fire could work 1 Transport Host to
through the Vulnerability of no sprinklers to destroy Host
1 Network Internet
the whole building. The building is at risk. Threat =
Data-Link Network
potentially harmful source. Vulnerability = the weakness that
allows the threat to do damage 2 Physical
Access
Risky Titty is Vulnerable! Risk= Threat Times
Layers of Attacks:
Vulnerability
Risk = Threat * Vulnerability Starting point. Basic.
4- SYN 4 Fraggle…. SYN 4 Fraggle!!
Risk = Threat * Vulnerability*Impact When you want to 3- Loki shed 3 Smurf Teardrops.
add weight to the vulnerability. For example, you want a Biometrics Metrics: FRR v FAR… 2 is
building full of expensive stuff to be a worse loss than an greater than one. 2 is a greater offense than
empty one. Well Impact adds weight. Human life is
infinitely irreplaceable. It trumps all.
1. Type 2 is False Acceptance and 1 is False
Risk = Threat * Vulnerability*Cost (simply make the Reject.
impact in money) Order of BioM’s: 1. Know 2. Have 3. Are Do
Sleeve Fuck (movie quote- go home and …: SLEAVE you KNOW what you HAVE here? No? You ARE
F: SLE = AV*EF an idiot!
Drinking ale leads to slaying with arrows: XSS v CSRF: CSRF is the websites misplaced
ALE = SLE*ARO trust in the uSeR. XSS is the user’s misplaced
TCO: To.Tal.Cost. of.owner.ship- Its trust in the website (xSITEscripting). The
everyyy.thing. Initial purchase of mitigating subject being mistrusted goes at the end of
safeguard. Upfront capital, annual mx, the sentence.
subscriptions. TCO of your care would be what Finally got it: XSS is when an attacker tricks a
you paid, plus cost of all repairs, gas and oil victim into unwittingly executing a code
etc. injection attack on a website. The user trusts
ROI: Return on Investment. What you are the website to not allow such bafoonery!
getting back from the safeguard. CSRF- the website trusts that users aren’t
If ale is better than tacos you made a good dumb enough to fall for Social Engineer.
choice. If ALE is > TCO you have a +ROI (not – Biba vs Bell-Lapadula: Justin Biba has no
ROI) chose a good safeguard. integrity. Biba is about integrity. If you know
In other words if TCO > ROI then bad choice. that then Bell is Confidentiality=Keep
In other other words Safeguards should be secrets=No Read Up, No Write Down.
saving money. Not simply costing the (Obvious when you think about it: Can’t read
company. higher clearance stuff and can’t share with
Risk Management Process: Love is Risky, lower clearance holders). Flip those two for
Love potion no. 9. 9 steps Integrity=Biba: No write up no read down.
1. System What do we have Clark-Wilson: Don’t touch my shit! Lewis and
Characterization Clark telling Native Americans not to touch
2. Threat ID Risk = their stuff. Untrusted users aren’t allowed to
3. Vulnerability ID Threat*Vulnerability
Simply Finding THREAThave access to resources without going
and Vulnerabilities. through a protected application [web
4. Control Analysis Current and planned
controls
interfaces for example].
5. Likelihood Simply figuring what Access Control: MAC = Lattice – Big MAC
the likelihood and with lattice. Lattice is a MAC.
Determination
impact is. Non-Discretionary = Role-Based. Job Roles are
6. Impact Analysis
7. Risk Determination Doing Quantitative Non-Discriminatory in USA.
and
CERTIFICATION and ACCREDITATION: A-C-C -7. Implementation, Training and Lets do this! IMP TITTY
ACCREDITATION | ACCEPTANCE. Accreditation is Testing
management’s acceptance of a product. First it’s 8. BCP/DRP Maintenance No Rest for the weary.
certified, then accredited (accepted) and finally
implemented.
The Piss (PS) gets its own cup. In that cup is
the .ini and scoping out what we’ll need.
X T A C A C S + The Burp (BIRP) is the BIA- we figure out what
C we have to protect. Then we ID how we are
P
going to prevent bad things. Oh shit, that
D I A M E T E R didn’t work- we need a Recovery Strategy. OK
C let’s get a Plan Designed and Developed to get
P
U the company ready.
R A D I U S The Inbound is all about the Imp Titties.
P D Implement Train and Test; and of course no
P
RADIUS is the only one that use UDP. rest for the weary… keep on it.
Order of TACACS. Then a wild X appeared (we read left The .ini calls up formal guidance and authority
to right). XTACACS. Then the X rolled behind the word to for the project. CPPT.exe is called by the .ini.
the right and landed on its side- XTACACS+. The plus is
the bonus of Multi-Factor Authentication.
The “Captain” aka CPPT is Continuity Planning
Multitasking: Multi Multi Tasking- It allows multiple tasks Project Team figures who is who for the .ini.
to use multiple processes. 3 Items Management Execs are responsible for
Multithreading. Multiple. Threading = Multiplethreads at in BCP/DRP:
one time. Most applications allow multithreading. Most
processors allow multitasking. When you press ALT CTRL
1. Initiating
DEL in Windows you get Task Manager… thus the CPU is 2. Final Approval
running multiple Tasks. Each app in of itself is 3. Demonstrate Due Care Due Diligence
multithreading. Initiate Final Demon Due Due.
Embedded Devices: Cell phones are BIA- 2 Processes to ultimately find the MTD’s
embedded in our pockets. It’s devices that for specific IT Assets.
are everywhere. Processes:
Cyber Incident Response Life-Cycle: 1. ID of Critical Assets.
1. Preparation Boy Scouts prepare first! Then this
2. Comprehensive Risk Assessment
little gem:
2. Detection / ID Conducted.
“The PD looks in RooM’s for PreC
3. Response / Lessons with a bunch of Re-Re’s.” **These are find the MTD (RTO+WRT) of Specific
Containment ALWAYS End with a lessons learned.IT Assets.**
4. Mitigation / Reporting happens throughout Now you have the MTD…. You looked at how
Eradication starting at detection. to prevent it… now look at how to save it if
5. RePort Remediation begins in Mitigation and
un-prevented….
6. ReCover runs parallel. No sense in waiting to
fix that shit. Recovery Strategies:
7. ReMediate
8. Lessons Learned Redundant Instant fail over. Site running in
Snort: NIPS Snort NIDS Snort open source Site parallel.
NIPS and NIDS Hot Site Just shy of parallel. Less than an hour
Tripwire: Picture a virtual tripwire into your recovery. Parallel Databases and
PC. It’s a HIDS. For the exam HIDS (Tripwire) security etc.
observes the fles…. So now picture the Warm Site 24 to 48 hours boot up time. Back-Up
tripwire attached to fles. (Does it through Data not in parallel. Hardware ready-
Hashing FOOL!) Backups not.
Cold Site Cheapest. No Backup data. No
DRP/BCP
DRP: RAC AR Respond Activate Communicate immediate hardware. MTD measured
in weeks. May be waiting on vendor
Assess Reconstitution
Rack AR-15… shipments of hardware etc.
*All these sites have raised floors, power,
BCP and/or DRP Steps: PiSs Burp InBound! utilities and physical security*
PS BIRP IB
1. Project Initiation Run the .ini first!
Other Plans:
2. Scope the project Guns = Scopes = Range
If it’s a B plan… Business Plan… BCP or BRP then
Fans… whats covered.
3. Business Impact Analysis The big daddy it is business focused and not IT focused. It
4. ID Preventive Controls covers IT as a support
Prevent so you don’t need piece to other essential
recovery Business functions.
5. Recovery Strategy Prev. Ctrls didn’t catch it! We need
a Recvry. Strat stat! The COOP. COnt. Op. Plan. You gotta fly the
6. Plan Design and Development How are we going tocoop
do and hide out for 30 days. Not IT focused…
this?
HQ writes it up. So- a chicken coop full of about People info (PHI and PII for example). P for
accountants with 30 days of supplies. 30 days. people, P for Private.
Cont. of Support Plan aka IT Contingency
Plan: Addresses IT Disruption- Not business plan. Intellectual Property: Patents are 20 years from
IT Supports ~~ hence Continuity of Support Plan. the time of patent. So-by the time a drug comes out
Crisis Commo. Plan: Not IT Focused. Simply it may only have 7 years left. General PATENT was
how to get a hold of people- Call trees. a great general by the age of 20.
Cyber Incident Response Plan: Remember PD Copyright = Copywrite and it is either 75 or 70
in the RooM looking for PreCuM Lessons? Yeah. years. Corporations get more than common people
That. And its IT Focused. Cyber Cops. do- so Corporations 75 years from conception.
DRP: Often IT Focused. Major Disruptions Long People get lifetime plus 75 years (so they actually
term effects get more).
OEP (Occupant Emer. Plan): Coordinated effort
to minimize loss of life and injury and property Gate Classes:
damage in response to a physical threat. Purely 1. Residential
based on people. 2. Commercial
Crisis Management Plan: When managers 3. Industrial
can’t communicate they go into crisis. 4. Secure i.e. bank or airport.
BRP: The BURP is the relief after a disaster… You’re looking for drugs. First you look around the
going from house. Then head to Walgreens. Then you head to
DRP then BRP: The ol’ Durp and Burp. the plant where they make the drugs only to
SO THE ONLY IT FOCUSED PLANS ARE (CDC): discover it is in a hidden vault in a bank.
Continuity of Support / IT Contingency
Plan Environmental: Humidity is half the problem.
DRP 48% ± 8. Temperature: Comfortable house temps.
Cyber Incident Response Plan 68-77 or 72 ± 5. (20-25 c).
Fire Type Codes:
Vital Records: SLA’s, Phone Lists, licensing info,
support contracts, reciprocal agreements, etc. etc. A Ash (Wood and Water or Soda Acid
need to be stored in hard copy and digital formats Paper)
offsite. This should be self-evident. B Boils (Gas and Gas or Soda Acid – Never Water
Grand-Father Methodology for Tapes =
Oils)
YYMMDD, Year / Month/ Day. Grand-Father has a
Date!! 7 Daily’s, 4 weekly, 12 Monthly.
C Current Nonconductive material such as
(Electrical) gas.
Or Grandpa’s birthday is 7-4-12.
Electronic Vaulting: Big bags of money in D Ding Ding (Metal) Dry Powder
and out…not individual bills (the big bags of K Kitchen Wet Chemicals
money are BATCH PROCESSING) Halon never goes on your DAK! Halon on all but D,
Remote Journaling: Shitty Journalists keep A or K.
logs not actual data. RJ sends transaction logs Halon and its substitutes: HALON now playing
on FM200!!! This is DJ FE-13
afar- not actual data.
FE-13 is the latest Fighter Jet. The FE-13 is the
DB Shadow: Shadows one direction under the sun.
safest around.
(One-way writes of DB Data to a Shadow DB)
802.3 v 802.11: The 3 is a Ethernet chord
****TESTING OF DRP/BCP SHOULD BE DONE
uncoiling. The 11 is rabbit ears on a Wi-Fi access
ANNUALLY********
point.
Walk-Through vs Walkthrough Drill: A drill is
Attack Method: Recon. Scan Foot to fngertip.
an actual… drill.
Where are they weak? Hit the weakness.
The goal of all the test are to ensure
1. Recon
Organization Readiness
2. Footprint (network map)
3. Fingerprint
4. Vulnerability Assessment
Security Clearances: Private and Military 5. Attack
US Can Stop Terrorism: Unclassified, Sensitive, Recovery v Reconstitution: Reconstitution =
Confidential, Secret Top Secret. Reconstruction = New building = get the toilet in
TS – Grave damage A Top Secret Grave before the server. Therefore, least critical go up
for Jimmy Hoffa first.
S – Serious damage Recovery is the opposite. Recover the reactor. Get
C- Cause damage the cooling rods back online before the toilet.
Classified Data is C, C and above. C for Confidential. Swapping v Paging: Swap whole books. Trading
C for Classified. pages is a partial transfer.
Private companies use: Public, Sensitive,
Confidential / Private. Software Development Cycle
Confidential- C for Company, C for Confidential… its
info about company stuff versus Private which is
IDIOD pronounced IDIOT. First I is .ini and second I 3. Implementation ------ Certification and
is implementation. Last thing you do with anything Accreditation here.
is throw it away so second D is disposal. 4. Operation
1. Initiation 5. Disposal
2. Development or Acquisition