Somethings are funny lies to aid in memory. For example RSA doesn’t really mean Real Signature Algorithm.

CISSP MEMORY AIDS Somethings may be crass or rude. Good. That might help you remember. Somethings only makes sense to
me- make your own up. Add to the document with your own. A few are stolen here and there. Thanks to
Kelly Handerhan for the Symmetrical Algo Trick. Thanks to Eric Conrad for other examples by Eric Conrad. -JS

RAID: $OX: Enron… ’02 shit got real. Publically traded companies: Adequate
“RAID 0 – Striping” (say it altogether), 0 Redundancy | Bl0ck Financial Disclosure, Independent Auditors, Internal Security Controls
RAID 1 – Mirroring. Picture the 1 is a girl in mirror. (CI$$P Jobs). Intentional Violators are Criminals
RAID 5 – 5trip1ng. Striping with 1 in it (get it?) GLBA (The HIPPA of Financial Institutions) C&I of customer data.
Any Raid above 1 gets parity. Breach Notifications.
3- byte stripe parity then 4 block stripe parity SB1386: Breach Notification. Breach BEACH (California)
6 is just 5 with redundant parity stripes CFAA: As amended Catch All for cyber-crime. 10 computers damaged
Asymmetric Algorithms: is a Felony.
1. RSA DSA (SA Brothers) ECPA: No Wiretaps and shit…. All in the name Electronic
2. ECC El Gamal (E E) Communications….
3. Diffie Hellman Knapsack (Guy named Diffie and his Knapsack) PATRIOT ACT: Not so Patriotic Reduction to restrictions in surveillance.
The Rest are Symmetrical….. and Hashes… a Good Start. PCI-DSS: Piece a Diss? Piece a Diss shit aint no law… Pay me.
Symmetric: A FISH named DES had an IDEA on how to make RC4 and EU Safe Harbor: USA Companies need only volunteer… Volunteers to
AES SAFER. fight in Europe.
HASHES: A bunch MD’s hanging out with SHA’s HAVAL the RIPEmd CMM- “Erd-MO” IRDMO. Initial, Repeatable, Defined, Managed,
TIGERs. Think crazy party with Docs, Sha’s having all the stinky tigers. Optimizing.
Default Answer for modern Crypto: AES (it’s used everywhere). Forensic Evidence Steps: IP CEA PD (Internet | CEA | Police Department)
Digital Signatures: RSA [Real Signature Algorithm] 1. Identify Look around
ENTICEMENT VS ENTRAPMENT 2. Preserve Don’t Step in that!
Tempting ‘em VS Tricking ‘em 3. Collect Now Pick it up footprint free
Legal VS Illegal 4. Examine What do we have here
5. Analyze Take a closer look
Streaming Ciphers associated with Feedback: Never pee into the 6. Presentation See? Look what I found!
wind. Streams feeding back into your face. 7. Decision Well? What do you think? [jury]
RC4 IS ONLY STREAM Evidence Types:
Twofish: 128 bits – 2x 64 bit fish. 2 Fish uses 2 Fish. A post-whitening Direct Witnesses to the cops Secondary expert witness was my 2nd choice
fish and a pre-whitening fish. Real Knives Corroborative back up
Caesar Cipher: Caes3R. 3R = 3 to the right. Best Contract ever! Circumstantial proves another fact
Diffie-Hellman and Mr. El Gamal are sneaky poopers- they drop Code of Ethics Canons: Night and Day.
DISCRETE LOGS. Discrete Logarithmic ciphers. First 2 Canons are at night… Super Hero Status… Protecting Society
WEP: Pronounced WEEP- because the creators weep over how and acting honorably… Jedi
insecure it is…. Second 2 Canons are Provide and Advance… You are a techie by day.
WPA: TKIP T for Temporary fix on the way to WPA2 You must follow the canons in order… Night and Day (order). On the
WP2: AES (Default- it isn’t TKIP) and CCMP (a lot like CCCP Russians. test answer ethical questions by order of the canons! And in real
Finally keeping the Russians Out). practice. [Read the following in Robocop’s voice – Prime Directives…it helps]
FIREWALLS: Layer 7 Application Firewalls. Application Proxies. Level 7 1. Protect society, the commonwealth and the infrastructure
Humans can make decisions. Control Active Directory. Certificates. 2. Act honorably, honestly, justly, responsibly, and legally
Certifiably Human. 3. Provide diligent and competent service to principals
Layer 5 Firewalls. Short Circuit- Johnny 5. Circuit Firewalls can 4. Advance and protect the profession
monitor TCP Handshakes- Robot shaking hands. Policies: Mandatory High Level = Presidential.
5tateful Firewall5. Just like Johnny 5 they are alive. Not quite lvl 7 Program Policy Establishes Information Security Program
humans. 5’s are 5tateful and Circuit Level. Johnny 5 was an anomaly. Policies have an owl!
Layer 3. Static Pack3t. Static. They are dumb turnstiles. Locked or Policies- Why? Who Who What? Like an owl asking: Why? Who
unlocked. All or nothing. All or No TCP, DNS. Turnstil3s can’t stop who what? Purpose – Why | Scope – Who this covers |
virus because they are yuck (NYC Subway Turnstile). They CAN stop Responsibilities – Who does what | Compliance – What happens
malformed packets…. Turnstiles CAN stop 1500 Super Mutants when you don’t comply
1. Purpose - Why
(Malformed Humans). 2. Scope - Who
3. Responsibilities- Who
LAWS: 4. Compliance- What
Due Care v Due Diligence: Think of a Doctors Standard of Care. That Only Discretionary Policies: Guidelines and Baselines you don’t have
is the care. Diligence is the Doctors action on you. Due Care is to wait in line. You’ll probably need management sign off to veer
Research/knowledge. Diligence is the actions. Docs act diligently. from Baselines.
HIPPA sounds like HEP A (medical protection law) Risk Analysis: The Threat of a Fire could work through the Vulnerability of
HITECH Hi-Tech Breaching cyborgs attacking covered associates of no sprinklers to destroy the whole building. The building is at risk. Threat =
potentially harmful source. Vulnerability = the weakness that allows the threat to do damage
HIPPA.
Risky Titty is Vulnerable! Risk= Threat Times Vulnerability
Risk = Threat * Vulnerability Starting point. Basic.
Risk = Threat * Vulnerability*Impact When you want to add weight to the Clark-Wilson: Don’t touch my shit! Lewis and Clark telling Native
vulnerability. For example, you want a building full of expensive stuff to be a worse
Americans not to touch their stuff. Untrusted users aren’t allowed to
loss than an empty one. Well Impact adds weight. Human life is infinitely
irreplaceable. It trumps all. have access to resources without going through a protected
Risk = Threat * Vulnerability*Cost (simply make the impact in money) application [web interfaces for example].
Sleeve Fuck (movie quote- go home and …: SLEAVE F: SLE = AV*EF Access Control: MAC = Lattice – Big MAC with lattice. Lattice is a
Drinking ale leads to slaying with arrows: ALE = SLE*ARO MAC.
TCO: To.Tal.Cost. of.owner.ship- Its everyyy.thing. Initial purchase of Non-Discretionary = Role-Based. Job Roles are Non-Discriminatory in
mitigating safeguard. Upfront capital, annual mx, subscriptions. TCO USA.
of your care would be what you paid, plus cost of all repairs, gas and CERTIFICATION and ACCREDITATION: A-C-C - ACCREDITATION |
oil etc. ACCEPTANCE. Accreditation is management’s acceptance of a product. First it’s
certified, then accredited (accepted) and finally implemented.
ROI: Return on Investment. What you are getting back from the
safeguard. X T A C A C S +
If ale is better than tacos you made a good choice. If ALE is > TCO you C
have a +ROI (not –ROI) chose a good safeguard. P

In other words if TCO > ROI then bad choice. In other other words D I A M E T E R
Safeguards should be saving money. Not simply costing the company. C
P
Risk Management Process: Love is Risky, Love potion no. 9. 9 steps
U
1. System Characterization What do we have R A D I U S
2. Threat ID Risk = Threat*Vulnerability P D
Simply Finding THREAT and P
3. Vulnerability ID Vulnerabilities. RADIUS is the only one that use UDP.
4. Control Analysis Current and planned controls
Order of TACACS. Then a wild X appeared (we read left to right). XTACACS. Then the X
5. Likelihood Determination Simply figuring what the rolled behind the word to the right and landed on its side- XTACACS+. The plus is the
likelihood and impact is. bonus of Multi-Factor Authentication.
6. Impact Analysis
Doing Quantitative and Multitasking: Multi Multi Tasking- It allows multiple tasks to use multiple processes.
7. Risk Determination
Qualitative Analysis Multithreading. Multiple. Threading = Multiplethreads at one time. Most applications
8. Control Recommendations TCO, ALE and ROI oh my! allow multithreading. Most processors allow multitasking. When you press ALT CTRL
DEL in Windows you get Task Manager… thus the CPU is running multiple Tasks. Each
9. Results Documentation Document your work
app in of itself is multithreading.
This shit was retired in 2012. But Conrad says to know it? WTF
Just rote the 9 steps if you feel you have time. DON’T ROTE MEMORIZE THIS. Embedded Devices: Cell phones are embedded in our pockets. It’s
TCP/IP Model: 3-1-1-2 | 3 layers combined, 1 lyr, 1 lyr, 2 combined devices that are everywhere.
Cyber Incident Response Life-Cycle:
Application 1. Preparation Boy Scouts prepare first! Then this little gem:
3 Presentation Application “The PD looks in RooM’s for PreCuM Lessons
2. Detection / ID with a bunch of Re-Re’s.” ALWAYS End with a
Session
3. Response / Containment lessons learned.
1 Transport Host to Host
1 Network Internet 4. Mitigation / Eradication  Reporting happens throughout starting at
Data-Link Network 5. RePort detection.
2 Physical  Remediation begins in Mitigation and runs
6. ReCover parallel. No sense in waiting to fix that shit.
Access
7. ReMediate
Layers of Attacks:
8. Lessons Learned
4- SYN 4 Fraggle…. SYN 4 Fraggle!!
Snort: NIPS Snort NIDS Snort open source NIPS and NIDS
3- Loki shed 3 Smurf Teardrops.
Tripwire: Picture a virtual tripwire into your PC. It’s a HIDS. For the
Biometrics Metrics: FRR v FAR… 2 is greater than one. 2 is a greater
exam HIDS (Tripwire) observes the files…. So now picture the tripwire
offense than 1. Type 2 is False Acceptance and 1 is False Reject.
attached to files. (Does it through Hashing FOOL!)
Order of BioM’s: 1. Know 2. Have 3. Are Do you KNOW what you
DRP/BCP
HAVE here? No? You ARE an idiot!
DRP: RAC AR Respond Activate Communicate Assess Reconstitution
XSS v CSRF: CSRF is the websites misplaced trust in the uSeR. XSS is
Rack AR-15…
the user’s misplaced trust in the website (xSITEscripting). The subject
BCP and/or DRP Steps: PiSs Burp InBound! PS BIRP IB
being mistrusted goes at the end of the sentence. Run the .ini first!
1. Project Initiation
Finally got it: XSS is when an attacker tricks a victim into unwittingly 2. Scope the project Guns = Scopes = Range Fans… whats
executing a code injection attack on a website. The user trusts the covered.
3. Business Impact Analysis The big daddy
website to not allow such bafoonery!
4. ID Preventive Controls Prevent so you don’t need recovery
CSRF- the website trusts that users aren’t dumb enough to fall for Prev. Ctrls didn’t catch it! We need a
5. Recovery Strategy
Social Engineer. Recvry. Strat stat!
6. Plan Design and Development How are we going to do this?
Biba vs Bell-Lapadula: Justin Biba has no integrity. Biba is about Lets do this! IMP TITTY
7. Implementation, Training and Testing
integrity. If you know that then Bell is Confidentiality=Keep No Rest for the weary.
8. BCP/DRP Maintenance
secrets=No Read Up, No Write Down. (Obvious when you think
The Piss (PS) gets its own cup. In that cup is the .ini and scoping out
about it: Can’t read higher clearance stuff and can’t share with lower
what we’ll need.
clearance holders). Flip those two for Integrity=Biba: No write up no
read down.
The Burp (BIRP) is the BIA- we figure out what we have to protect.
Then we ID how we are going to prevent bad things. Oh shit, that
didn’t work- we need a Recovery Strategy. OK let’s get a Plan
Designed and Developed to get the company ready.
The Inbound is all about the Imp Titties. Implement Train and Test;
and of course no rest for the weary… keep on it.
The .ini calls up formal guidance and authority for the project.
CPPT.exe is called by the .ini. The “Captain” aka CPPT is Continuity
Planning Project Team figures who is who for the .ini.
3 Items Management Execs are responsible for in BCP/DRP:
1. Initiating
2. Final Approval
3. Demonstrate Due Care Due Diligence
Initiate Final Demon Due Due.
BIA- 2 Processes to ultimately find the MTD’s for specific IT Assets.
Processes:
1. ID of Critical Assets.
2. Comprehensive Risk Assessment Conducted.
**These are find the MTD (RTO+WRT) of Specific IT Assets.**
Now you have the MTD…. You looked at how to prevent it… now
look at how to save it if un-prevented….
Recovery Strategies:
Redundant Site Instant fail over. Site running in parallel.
Hot Site Just shy of parallel. Less than an hour recovery.
Parallel Databases and security etc.
Warm Site 24 to 48 hours boot up time. Back-Up Data not
in parallel. Hardware ready- Backups not.
Cold Site Cheapest. No Backup data. No immediate
hardware. MTD measured in weeks. May be
waiting on vendor shipments of hardware etc.
*All these sites have raised floors, power, utilities and physical security*
Other Plans:
If it’s a B plan… Business Plan… BCP or BRP then it is business focused and
not IT focused. It covers IT as a support piece to other essential Business
functions.
The COOP. COnt. Op. Plan. You gotta fly the coop and hide out for 30
days. Not IT focused… HQ writes it up. So- a chicken coop full of
accountants with 30 days of supplies. 30 days.
Cont. of Support Plan aka IT Contingency Plan: Addresses IT Disruption-
Not business plan. IT Supports ~~ hence Continuity of Support Plan.
Crisis Commo. Plan: Not IT Focused. Simply how to get a hold of people-
Call trees.
Cyber Incident Response Plan: Remember PD in the RooM looking for
PreCuM Lessons? Yeah. That. And its IT Focused. Cyber Cops.
DRP: Often IT Focused. Major Disruptions Long term effects
OEP (Occupant Emer. Plan): Coordinated effort to minimize loss of life and
injury and property damage in response to a physical threat. Purely based
on people.
Crisis Management Plan: When managers can’t communicate they go into
crisis.
BRP: The BURP is the relief after a disaster… going from
DRP then BRP: The ol’ Durp and Burp.
SO THE ONLY IT FOCUSED PLANS ARE (CDC):
 Continuity of Support / IT Contingency Plan
 DRP
 Cyber Incident Response Plan
Vital Records: SLA’s, Phone Lists, licensing info, support contracts, reciprocal
agreements, etc. etc. need to be stored in hard copy and digital formats
offsite. This should be self-evident.
Grand-Father Methodology for Tapes = YYMMDD, Year / Month/ Day.
Grand-Father has a Date!! 7 Daily’s, 4 weekly, 12 Monthly.
Or Grandpa’s birthday is 7-4-12.
Electronic Vaulting: Big bags of money in and out…not individual bills
(the big bags of money are BATCH PROCESSING)
Remote Journaling: Shitty Journalists keep logs not actual data. RJ
sends transaction logs afar- not actual data.
DB Shadow: Shadows one direction under the sun. (One-way writes of DB
Data to a Shadow DB)
****TESTING OF DRP/BCP SHOULD BE DONE ANNUALLY********
Walk-Through vs Walkthrough Drill: A drill is an actual… drill.
The goal of all the test are to ensure Organization Readiness
Security Clearances: Private and Military
US Can Stop Terrorism: Unclassified, Sensitive, Confidential, Secret Top
Secret.
TS – Grave damage A Top Secret Grave for Jimmy Hoffa
S – Serious damage
C- Cause damage
Classified Data is C, C and above. C for Confidential. C for Classified.
Private companies use: Public, Sensitive, Confidential / Private.
Confidential- C for Company, C for Confidential… its info about company stuff
versus Private which is about People info (PHI and PII for example). P for
people, P for Private.
Intellectual Property: Patents are 20 years from the time of patent. So-by
the time a drug comes out it may only have 7 years left. General PATENT was
a great general by the age of 20.
Copyright = Copywrite and it is either 75 or 70 years. Corporations get more
than common people do- so Corporations 75 years from conception. People
get lifetime plus 75 years (so they actually get more).
Gate Classes:
1. Residential
2. Commercial
3. Industrial
4. Secure i.e. bank or airport.
You’re looking for drugs. First you look around the house. Then head to
Walgreens. Then you head to the plant where they make the drugs only to
discover it is in a hidden vault in a bank.
Environmental: Humidity is half the problem. 48% ± 8. Temperature:
Comfortable house temps. 68-77 or 72 ± 5. (20-25 c).
Fire Type Codes:
A Ash (Wood and Paper) Water or Soda Acid
B Boils (Gas and Oils) Gas or Soda Acid – Never Water
C Current (Electrical) Nonconductive material such as gas.
D Ding Ding (Metal) Dry Powder
Wet Chemicals
K Kitchen
Halon never goes on your DAK! Halon on all but D, A or K.
Halon and its substitutes: HALON now playing on FM200!!! This is DJ FE-13
FE-13 is the latest Fighter Jet. The FE-13 is the safest around.
802.3 v 802.11: The 3 is a Ethernet chord uncoiling. The 11 is rabbit ears on
a Wi-Fi access point.
Attack Method: Recon. Scan Foot to fingertip. Where are they weak? Hit the
weakness.
1. Recon
2. Footprint (network map)
3. Fingerprint
4. Vulnerability Assessment
 5. Attack
Recovery v Reconstitution: Reconstitution = Reconstruction = New building
= get the toilet in before the server. Therefore, least critical go up first.
Recovery is the opposite. Recover the reactor. Get the cooling rods back
online before the toilet.
Swapping v Paging: Swap whole books. Trading pages is a partial transfer.

Software Development Cycle

IDIOD pronounced IDIOT. First I is .ini and second I is implementation. Last
thing you do with anything is throw it away so second D is disposal.
1. Initiation
2. Development or Acquisition
3. Implementation ------ Certification and Accreditation here.
4. Operation
5. Disposal