CISSP Domain 1 Lecture notes

Welcome to the first CBK Domain.

• This domain is VERY important because:
• Every other knowledge domain build on top of this chapter
• This is the foundation.
• This domain is very testable.
• 15% of the questions on the certification are from this domain.
• I think they are weighted high.
• IT Security should be based on a cost benefit analysis.
• What will a compromise cost us?
• How likely is a compromise?
• What will the countermeasure cost us?
• We want EXACTLY enough security and to base it on the ROI from the cost benefit analysis.

Security, Risk, Compliance, Law, Regulations, and Business Continuity.

• Confidentiality, integrity, and availability concepts.
• We want the right balance; our data needs to be secure, while keeping its integrity
intact and availability high.
• Security governance principles.
• What and how we grant data access to people, the frameworks we use for it, and
defense in depth.
• Compliance.
• Legal and regulatory issues.
• The laws and regulations we must adhere to, types of evidence, how we handle it,
intellectual property
• Professional ethics.
• The ISC2 code of ethics and corporate code of ethics.
• Security policies, standards, procedures and guidelines.
• How we use policies, standards, guidelines, procedures, baselines what each does
• Risk analysis:
• How we determine the quantitative
and qualitative risks to our assets, and
types of attackers.

Confidentiality, Integrity and Availability.

• The CIA Triad (AIC)
• Confidentiality
• This is what most people think
IT Security is.
• We keep our data and secrets
secret.
• We ensure no one unauthorized
can access the data.
• Integrity
• How we protect against modifications of the data and the systems.

1 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
• We ensure the data has not been altered.
• Availability
• We ensure authorized people can access the data they need, when they need to.

Confidentiality, Integrity and Availability.

• We use:
• Encryption for data at rest (for instance AES256), full disk encryption.
• Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
• Best practices for data in use - clean desk, no shoulder surfing, screen view angle
protector, PC locking (automatic and when leaving).
• Strong passwords, multi factor authentication, masking, access control, need-to-
know, least privilege.
• Threats:
• Attacks on your encryption (cryptanalysis).
• Social engineering.
• Key loggers (software/hardware), cameras, Steganography.
• IOT (Internet Of Things) – The growing number of connected devices we have pose a
new threat, they can be a backdoor to other systems.

Confidentiality, Integrity and Availability.

• System integrity and Data integrity
• We use:
• Cryptography (again).
• Check sums (This could be CRC).
• Message Digests also known as a hash (This could be MD5, SHA1 or SHA2).
• Digital Signatures – non-repudiation.
• Access control.
• Threats:
• Alterations of our data.
• Code injections.
• Attacks on your encryption (cryptanalysis).

Confidentiality, Integrity and Availability.

• System integrity and Data availability.
• We use:
• IPS/IDS.
• Patch Management.
• Redundancy on hardware power (Multiple power
supplies/UPS’/generators), Disks (RAID), Traffic paths (Network design),
HVAC, staff, HA (high availability) and much more.
• SLA’s – How high uptime to we want (99.9%?) – (ROI)
• Threats:
• Malicious attacks (DDOS, physical, system compromise, staff).
• Application failures (errors in the code).
• Component failure (Hardware).

2 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
Confidentiality, Integrity and Availability
• Finding the right mix of
Confidentiality, Integrity and
Availability is a balancing act.
• This is really the cornerstone of IT
Security – finding the RIGHT mix for
your organization.
• Too much Confidentiality
and the Availability can
suffer.
• Too much Integrity and the
Availability can suffer.
• Too much Availability and
both the Confidentiality and
Integrity can suffer.
• The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
• Disclosure – Someone not authorized getting access to your information.
• Alteration – Your data has been changed.
• Destruction – Your data or systems have been destroyed or rendered
inaccessible.

IAAA (Identification and Authentication, Authorization and Accountability):

• Identification
• Your name, username, ID number, employee number, SSN etc.
• “I am Thor”.
• Authentication
• “Prove you are Thor”. – Should always be done with multi-factor authentication!
• Something you know - Type 1 Authentication (passwords, pass phrase, PIN
etc.).
• Something you have - Type 2 Authentication (ID, passport, smart card, token,
cookie on PC etc.).
• Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, iris
scan, facial geometry etc.).
• Somewhere you are - Type 4 Authentication (IP/MAC Address).
• Something you do - Type 5 Authentication (Signature, pattern unlock).
IAAA:
• Authorization
• What are you allowed to access – We use Access
Control models, what and how we implement
depends on the organization and what our security
goals are. More on this in Domain 5 - Identity and
Access Management (DAC, MAC, RBAC, RUBAC)
• Accountability (also often referred to as Auditing)
• Trace an Action to a Subject’s Identity:
• Prove who/what a given action was performed by (non-repudiation).

3 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes

IT Security is there to Support the organization.

• We are there to enable the organization to fulfil its mission statement and the business’
goals.
• We are not the most important part of the organization, but we span the entire
organization.
• We are Security leaders and Business leaders – Answer exam questions wearing BOTH
hats.

Security governance principles.

• Least Privilege and Need to Know.
• Least Privilege – (Minimum necessary access) Give users/systems exactly the
access they need, no more, no less.
• Need to Know – Even if you have access, if you do not need to know, then you
should not access the data.
• Non-repudiation.
• A user cannot deny having performed a certain action. This uses both
Authentication and Integrity.
• Subject and Object.
• Subject – (Active) Most often users but can also be programs – Subject
manipulates Object.
• Object – (Passive) Any passive data (both physical paper and data) – Object is
manipulated by Subject.
• Some can be both at different times, an active program is a subject; when
closed, the data in program can be object.

Security governance principles.

● Governance vs. Management
● Governance – This is C-level Executives (Not you).
● Stakeholder needs,
conditions and
options are
evaluated to define:
● Balanced
agreed-
upon
enterprise
objectives
to be
achieved.
● Setting
direction
through prioritization and decision making.
● Monitoring performance and compliance against agreed-upon
direction and objectives.

4 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
● Risk appetite – Aggressive, neutral, adverse.
● Management – How do we get to the destination (This is you).
● Plans, builds, runs and monitors activities in alignment with the
direction set by the governance to achieve the objectives.
● Risk tolerance – How are we going to practically work with our risk
appetite and our environment.

Security governance principles.

● Top-Down vs. Bottom-Up Security Management and Organization structure.
● Bottom-Up: IT Security is seen as a nuisance and not a helper, often change
when breaches happen.
● Top-Down: IT leadership is on
board with IT Security, they lead
and set the direction. (The
exam).

● C-Level Executives (Senior Leadership)

– Ultimately Liable.
● CEO: Chief Executive Officer.
● CSO: Chief Security Officer.
● CIO: Chief Information Officer.
● CFO: Chief Financial Officer.
Normal organizations obviously have more C-Level.
executives, the ones listed here you need to know.

Security governance principles.

● Governance standards and control frameworks.
● PCI-DSS - Payment Card Industry Data Security Standard (While a standard it is
required: more on this one later).
● OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation.
● Self-Directed Risk Management.
● COBIT - Control Objectives for Information and related Technology.
● Goals for IT – Stakeholder needs are mapped down to IT related goals.
● COSO – Committee Of Sponsoring Organizations.
● Goals for the entire organization.
● ITIL - Information Technology Infrastructure Library.
● IT Service Management (ITSM).
● FRAP - Facilitated Risk Analysis Process.
● Analyses one business unit, application or system at a time in a
roundtable brainstorm with internal employees. Impact analyzed,
threats and risks prioritized.
Security governance principles.
● Governance standards and control frameworks.
● ISO 27000 series:
● ISO 27001: Establish, implement, control and improvement of the ISMS.
Uses PDCA (Plan, Do, Check, Act)

5 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
● ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on
how to implement security controls. It has 10 domains it uses for ISMS
(Information Security Management Systems).
● ISO 27004: Provides metrics for measuring the success of your ISMS.
● ISO 27005: Standards based approach to risk management.
● ISO 27799: Directives on how to protect PHI (Protected Health
Information).

Links on all these as well as ones from previous slides in the “Extras” lecture.

Security governance principles.

● Defense in Depth – Also called Layered Defense or Onion
Defense.
● We implement multiple overlapping security controls
to protect an asset.
● This applies both to physical and logical controls.
● To get to a server you may have to go through
multiple locked doors, security guards, man
traps.
● To get to data you may need to get past
firewalls, routers, switches, the server, and
the applications security.
● Each step may have multiple security controls.
● No single security control secures an asset.
● By implementing Defense in Depth you improve your organization’s
Confidentiality, Integrity and Availability.

Legal and regulatory issues.

As IT Security Professionals we need to understand that laws and regulations have a huge influence on
how we work.
We need to know some of them and understand how the rest work.
● There are 4 types of laws covered on the exam and important to your job as an
IT Security Professional.
● Criminal Law:
● “Society” is the victim and proof must be “Beyond a reasonable
doubt”.
● Incarceration, death and financial fines to “Punish and deter”.
● Civil Law (Tort Law):
● Individuals, groups or organizations are the victims and proof
must be ”the majority of proof”.
● Financial fines to “Compensate the victim(s)”.
● Administrative Law (Regulatory Law):
● Laws enacted by government agencies (FDA Laws, HIPAA, FAA
Laws etc.) Proof “More likely than not”.
● Private Regulations:
● Compliance is required by contract (For instance PCI-DSS).

6 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
Legal and regulatory issues.

● Liability:
● If the question is who is ULTIMATELY liable, the answer is Senior Leadership.
This does not mean you are not liable; you may be, that depends on Due Care.
Who is held accountable, who is to blame, who should pay?
● Due Diligence and Due Care:
● Due Diligence – The research to build the IT Security architecture of your
organization. Best practices and common protection mechanisms. Research of
new systems before implementing.
● Due Care – Prudent person rule – What would a prudent person do in this
situation?
● Implementing the IT Security architecture, keep systems patched. If
compromised: fix the issue, notify affected users (Follow the Security
Policies to the letter).
● Negligence (and gross negligence) is the opposite of Due Care.
● If a system under your control is compromised and you can prove you did your
Due Care, you are most likely not liable.
● If a system under your control is compromised and you did NOT perform Due
Care, you are most likely liable.

Legal and regulatory issues.

● Evidence:
● How you obtain and handle evidence is VERY important.
● Types of evidence:
● Real Evidence: Tangible and physical objects in IT Security: Hard disks,
USB drives – NOT the data on them.
● Direct Evidence: Testimony from a firsthand witness, what they
experienced with their 5 senses.
● Circumstantial Evidence: Evidence to support circumstances for a point
or other evidence.
● Collaborative Evidence: Supports facts or elements of the case: not a
fact on its own but support other facts.
● Hearsay: Not first-hand knowledge – normally inadmissible in a case.
● Computer-generated records and with that log files were
considered hearsay, but case law and updates to the Federal
Rule of Evidence have changed that. Rule 803 provides for the
admissibility of a record or report that was “made at or near the
time by, or from information transmitted by, a person with
knowledge, if kept in the course of a regularly conducted
business activity, and if it was the regular practice of that
business activity to make the memorandum, report, record or
data compilation.”

7 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
Legal and regulatory issues.
● Evidence:
● Best Evidence Rule – The courts prefer the best evidence possible.
● Evidence should be accurate, complete, relevant, authentic, and
convincing.
● Secondary Evidence – This is common in cases involving IT.
● Logs and documents from the systems are considered secondary
evidence.
● Evidence Integrity – It is vital that the evidence’s integrity cannot be
questioned.
● We do this with hashes. Any forensics is done on copies and never the
originals.
● We check hash on both original and copy before and after the
forensics.
● Chain of Custody – This is done to prove the integrity of the data; that no
tampering was done.
● Who handled it?
● When did they handle it?
● What did they do with it?
● Where did they handle it?

Legal and regulatory issues.

● Reasonable Searches:
● The Fourth Amendment to the United States Constitution protects citizens from
unreasonable search and seizure by the government.
● In all cases, the court will determine if evidence was obtained legally. If not, it is
inadmissible in court.
● Exigent circumstances apply if there is an immediate threat to human life or of
evidence destruction.
● This will later be decided by a court if it was justified.
● Only applies to law enforcement and those operating under the “color
of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the
Color of Law.
● Your organization needs to be very careful when ensuring that employees are
made aware in advance that their actions are monitored, that their equipment,
and maybe even personal belongings, can be subjected to searches.
● Notifications like that should only be made if your organization has
security policies in place for it, and it must take into account the privacy
laws in your county/state/country.
Legal and regulatory issues.
● Entrapment and Enticement:
● Entrapment (Illegal and unethical): When someone is persuaded to commit a
crime they had no intention of committing and is then charged with it.
● Openly advertising sensitive data and then charging people when they
access them.
● Entrapment is a solid legal defense.

8 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
● Enticement (Legal and ethical): Making committing a crime more enticing, but
the person has already broken the law or at least has decided to do so.
Honeypots can be a good way to use Enticement.
● Have open ports or services on a server that can be attacked.
● Enticement is not a valid defense.

● If there is a gray area in some cases between Entrapment and Enticement, it is

ultimately up to the jury to decide which one it was.
● Check with your legal department before using honeypots. They pose both legal
and practical risks.
GDPR (General Data Protection Regulation):
● GDPR is a regulation in EU law on data protection and privacy for all individuals within
the European Union (EU) and the European Economic Area (EEA).
● It does not matter where we are based, if we have customers in EU/EEA we have to
adhere to the GDPR.

● Violators of the GDPR may be fined up to €20 million or up to 4% of the annual

worldwide turnover of the preceding financial year in case of an enterprise, whichever is
greater.

● Unless a data subject has provided informed consent to data processing for one or more
purposes, personal data may not be processed unless there is at least one legal basis to
do so.

● Restrictions: Lawful interception, national security, military, police, justice.

● Personal data covers a variety of data types including: Names, Email Addresses,
Addresses, unsubscribe confirmation URLs that contain email and/or names, IP
Addresses

GDPR (General Data Protection Regulation):

● Restrictions: Lawful interception, national security, military, police, justice.
● Right to access: Data controllers must be able to provide a free copy of an individual’s
data if requested.
● Right to erasure: All users have a ‘right to be
forgotten’.
● Data portability: All users will be able to request
access to their data ‘in an electronic format’.
● Data breach notification: Users and data
controllers must be notified of data breaches
within 72 hours.
● Privacy by design: When designing data processes,
care must be taken to ensure personal data is
secure. Companies must ensure that only data is
‘absolutely necessary for the completion of duties.
● Data protection officers: Companies whose activities involve data processing and
monitoring must appoint a data protection officer.

9 | Page
https://thorteaches.com/
 CISSP Domain 1 Lecture notes
Legal and regulatory issues.
Intellectual Property:
● Copyright © - (Exceptions: first sale, fair use).
● Books, art, music, software.
● Automatically granted and lasts 70 years after creator’s death or 95 years after
creation by/for corporations.
● Trademarks ™ and ® (Registered Trademark).
● Brand names, logos, slogans – Must be registered, is valid for 10 years at a time,
can be renewed indefinitely.
● Patents: Protects inventions for 20 years (normally) – Cryptography algorithms can be
patented.
● Inventions must be:
● Novel (New idea no one has had before).
● Useful (It is actually possible to use and it is useful to
someone).
● Nonobvious (Inventive work involved).
● Trade Secrets.
● You tell no one about your formula, your secret sauce. If discovered anyone can
use it; you are not protected.
Legal and regulatory issues.
Attacks on Intellectual Property:
● Copyright.
● Piracy - Software piracy is by far the most common attack on Intellectual
Property.
● Copyright infringement – Use of someone else’s copyrighted material, often
songs and images.
● Trademarks.
● Counterfeiting – Fake Rolexes, Prada, Nike, Apple products – Either using the
real name or a very similar name.
● Patents.
● Patent infringement – Using someone else’s patent in your product without
permission.
● Trade Secrets.
● While a organization can do nothing if their Trade Secret is discovered, how it is
done can be illegal.

● Cyber Squatting – Buying an URL you know someone else will need (To sell at huge
profit – not illegal).
● Typo Squatting – Buying an URL that is VERY close to real website name (Can be illegal
in certain circumstances).

Legal and regulatory issues.

Privacy:
● You as a citizen and consumer have the right that your Personally Identifiable
Information (PII) is being kept securely.

10 | Page
https://thorteaches.com/