2023+CISSP+Domain+3+Study+Guide+by+ThorTeaches Com+v3 1
2023+CISSP+Domain+3+Study+Guide+by+ThorTeaches Com+v3 1
CBK 3 makes up 13% of the exam questions, being so broad it contains close to 25% of the exam
materials.
1 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ RUBAC - (Rule Based Access Control) is access that’s granted based on IF/THEN
statements.
2 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Lattice Based Access Control (LBAC) (MAC):
▪ A subject can have multiple access rights.
⬥ A Subject with “Top Secret” {crypto,
chemical} would be able to access
everything in this lattice.
⬥ A Subject with “Secret” {crypto}
would only have access to that level.
⬥ A subject with “Top Secret”
{chemical} would have access to only
{chemical} in Top Secret and Secret.
▪ These are obviously vastly more complex in
real life.
▪ For the exam, just know what they are and
how they work.
3 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Clark-Wilson - Integrity:
▪ Separates end users from the back-end data through
‘Well-formed transactions’ and ‘Separation of Duties’.
▪ The model uses Subject/Program/Object.
⬥ We have discussed the Subject/Object
relationship before, but this puts a program
between the two.
⬥ We don’t allow people access to our inventory
when they buy from us.
⬥ We give them a limited functionality interface they can access.
▪ Separation of duties:
⬥ The certifier of a transaction and the implementer are different
entities.
⬥ The person making purchase orders should not be paying the invoices.
▪ Well-formed transactions are a series of operations that transition a
system from one consistent state to another consistent state.
4 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Thor can Take (t) Jane’s rights for the object.
🞂 Jane can Create (c) and Remove (r) rights for the object.
🞂 Jane can Grant (g) any of her rights to Bob.
5 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ System High Security Mode - All users must
have:
⬥ Signed NDA for ALL information on
the system.
⬥ Proper clearance for ALL information
on the system.
⬥ Formal access approval for ALL
information on the system.
⬥ A valid need to know for SOME
information on the system.
⬥ All users can access SOME data,
based on their need to know.
▪ Multilevel Security Mode - (Controlled Security Mode) - All users must have:
⬥ Signed NDA for ALL information on the system.
⬥ Proper clearance for SOME information on the system.
⬥ Formal access approval for SOME information on the system.
⬥ A valid need to know for SOME information on the system.
⬥ All users can access SOME data, based on their need to know, clearance
and formal access approval.
6 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⮚ Evaluation Methods, Certification, and Accreditation
Choosing the security systems and products we implement in our
organization can be a daunting task. How do we know the
vendor is trustworthy, how do we know the systems and
products were tested well and what the tests revealed?
7 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Evaluation Assurance Level (EAL) – How did the system or product
score on the testing?
🞂 EAL Level 1-7:
🞂 EAL1: Functionally Tested.
🞂 EAL2: Structurally Tested.
🞂 EAL3: Methodically Tested and Checked.
🞂 EAL4: Methodically Designed, Tested and Reviewed
🞂 EAL5: Semi-formally Designed and Tested.
🞂 EAL6: Semi-formally Verified Design and Tested.
🞂 EAL7: Formally Verified Design and Tested.
8 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Threat Modeling:
▪ PASTA (Attacker Focused):
⬥ Process for Attack Simulation and Threat Analysis)
⬥ A seven-step process to aligning business objectives and
technical requirements.
⬥ Gives us a dynamic threat identification, enumeration,
and scoring process.
⬥ Provide an attacker-centric view of the application and
infrastructure, we can then use that to develop an asset-
centric mitigation strategy.
⬥ Definition of the Objectives (DO), Definition of the
Technical Scope (DTS), Application Decomposition and
Analysis (ADA), Threat Analysis (TA), Weakness and
Vulnerability Analysis (WVA), Attack Modeling &
Simulation (AMS), Risk Analysis & Management (RAM)
▪ STRIDE (Developer Focused)
▪ Threat modeling methodology developed by
Microsoft for security threats of six categories:
⬥ Spoofing, tampering, repudiation,
information disclosure, Denial of Service
(DoS), elevation of privilege.
▪ Trike (Acceptable Risk Focused)
▪ Dread
⬥ Disaster/Damage, Reproducibility,
Exploitability, Affected Users, and
Discoverability (DREAD)
⬥ Each category is given a rating from 1 to
10.
⬥ Abandoned by Microsoft in 2008 who
made it, still in use in other places.
9 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Privacy by Design:
▪ Proactive not reactive, Privacy as the default setting, Privacy embedded into
design, Full functionality, End-to-end security, Visibility and transparency,
Respect for user privacy
● Shared Responsibility:
▪ With cloud computing the provider and customer share responsibility for the
security.
● Abstraction: Hiding unnecessary details from the user, it provides a seamless experience
for the user; they don’t see the millions of background calculations.
● Security Domains: A list of Objects a Subject is allowed to access, groups of Objects and
Subjects with similar security requirements.
▪ Kernel mode (Supervisor mode) is where the kernel lives, allowing low-level
unrestricted access to memory, CPU, disk, etc. This is the most trusted and
powerful part of the system. Crashes are not recoverable.
▪ User mode (Problem mode) has no direct access to hardware, it is directed
through an API (Application programming interface). Crashes are recoverable.
This is most of what happens on a PC.
▪ Open and closed systems:
⬥ Open systems use open standards and can use standard components
from multiple vendors.
🞂 Hard disks are built and evaluated to a certain standard.
🞂 This is what most organizations use and is considered more
secure.
⬥ Closed Systems use proprietary hardware and software. This is “security
through obscurity.”
10 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ You may not get hit with the latest Windows Server 2016 vulnerability,
but your systems and software have not been as rigorously tested and
audited for flaws as open systems and may be easy to gain access to.
● Security Domains:
▪ The Ring Model:
▪ 4 ring model that separates Users
(Untrusted) from the Kernel (Trusted).
▪ The full model is slow and rarely used;
most OSs only use rings 0 and 3.
▪ There is a new addition to the Ring
Model:
⬥ Hypervisor mode is called Ring -1
and is for VM Hosts. Ring -1 sits
below the Client kernel in Ring 0.
11 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ This design is more common on newer
computers and replaces the regular
computer bus.
▪ The Northbridge (Host bridge) is much
faster than the Southbridge.
▪ There are no North/Southbridge
standards, but they must be able to
work with each other.
▪ There is a move towards integrating the
Northbridge onto the CPU itself (Intel
Sandy Bridge / AMD Fusion).
12 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Cycle 1. Fetch 1
🞂 Cycle 2. Fetch 2, Decode 1
🞂 Cycle 3. Fetch 3, Decode 2, Execute 1
🞂 Cycle 4. Fetch 4, Decode 3, Execute 2, Write 1
🞂 Cycle 5. Fetch 5, Decode 4, Execute 3, Write 2
🞂 ,…
▪ Interrupt:
⬥ An interrupt is a signal to the processor emitted by hardware or
software indicating an event that needs immediate attention.
⬥ An interrupt alerts the processor to a high-priority condition requiring
the interruption of the current code the processor is executing.
⬥ When the higher priority task is complete the lower priority tasks will
continue/be completed.
13 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Memory protection prevents one process from affecting the confidentiality, integrity, or
availability of another. Used to protect user/process
data in multi-user and multitasking environments.
● Process isolation is a logical control that tries to
prevent one process from Interfering with another.
● Hardware segmentation takes that a step further by
mapping processes to specific memory locations.
● Virtual Memory provides virtual address mapping
between applications and hardware memory. Virtual
memory is used for many things: multitasking,
multiprocessing, swapping, to name a few.
● Swapping moves entire processes from primary
memory (RAM) from/to secondary memory (Disk).
● Paging copies a block from primary memory (RAM)
from/to secondary memory (Disk).
● BIOS – Basic Input Output System (Low level OS):
▪ The BIOS runs a basic POST (Power On Self Test), including verifying the integrity
of the BIOS, testing the memory, identifying
system devices, and more.
⬥ Once the POST process is complete
and successful, it locates the boot
sector for the OS.
⬥ The kernel loads and executes, and
the OS boots.
⬥ BIOS is stored on ROM - most likely
EEPROM now (or EPROM on older
systems).
● WORM Media (Write Once Read Many):
▪ ROM is a WORM Media (not in use, though).
▪ CD/DVDs can be WORM Media (R) if they are not R/W (Read/Write).
14 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Address Space Layout Randomization (ASLR) is a memory-protection process for OS’s; it
guards against buffer-overflow attacks by randomizing the location where system
executables are loaded into memory.
● Microservices:
▪ There is no single definition for microservices. A consensus view has evolved
over time in the industry. Some of the defining characteristics that are
frequently cited include:
⬥ Services in a microservice architecture (MSA) are often processes that
communicate over a network to fulfill a goal using technology-agnostic
protocols such as HTTP.
⬥ Services are organized around business capabilities.
⬥ Services can be implemented using different programming languages,
databases, hardware and software environments, depending on what
fits best.
▪ Services are small in size, messaging-enabled, bounded by contexts,
autonomously developed, independently deployable, decentralized and built
and released with automated processes.
▪ A microservice is not a layer within a monolithic application (for example, the
web controller, or the backend-for-frontend). Rather it is a self-contained piece
of business functionality with clear interfaces, and may, through its own internal
components, implement a layered architecture.
15 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Serverless (Function as a Service (FaaS)):
▪ Similar to microservices, each function is made to
work independently and autonomously.
▪ Does not hold resources in volatile memory;
computing in short bursts with the results
persisted to storage.
▪ Pros:
⬥ Cost is based on actual use. When the app
is not in use, no compute resources are
used.
⬥ Elasticity vs. Scalability.
🞂 Elasticity; resources expand or
contract based on the need.
🞂 Scalability; we scale resources to
meet expected needs.
16 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Read (r), Write (w) and Execute (x) permissions which can be set at an
owner, group or world level.
▪ Windows NTFS (New Technology File System)
⬥ Read, Write, Read and Execute, Modify, Full Control (Read, Write,
Execute, Modify, Change Permissions).
⬥ It is a type of DAC (Discretionary Access Control) – Who can access and
how they can access it is at the owner’s discretion.
17 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Virtualization holds a ton of benefits:
⬥ Virtualized environments cost a
lot less than all physical servers.
⬥ It is much easier to stand up
new servers (don't need to buy
hardware, wait 2 weeks, rack it,
run power/internet).
⬥ You can easily back up servers
with snapshots; server builds
can be done with images.
⬥ You can instantly reallocate
resources.
⬥ They have lower power and cooling costs, a much smaller rack footprint
(50-100 servers in the space of 5-8).
▪ Hypervisor - Controls the access between the virtual guest/clients and the host
hardware.
⬥ Type 1 hypervisor (Bare
Metal) is a part of
a Virtualization OS that
runs on top of the
host hardware (Think Data
Center).
⬥ Type 2 hypervisor runs on
top of a regular OS like
Windows 10 - (Think your
PC).
▪ VM Escape (Virtualization escape) is when an attacker can jump from the host
or a client to another client, this can be even more of a concern if you have
18 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
different Trust Level Clients on
the same host. They should ideally
be on separate hosts.
● Cloud Computing
▪ Cloud Computing can be divided into 3 main types:
⬥ Private Cloud Computing - Organizations build and run their own cloud
infrastructure (or they pay someone to do it for them).
⬥ Public Cloud Computing - Shared tenancy – A company builds massive
infrastructures and rents it out to anyone who wants it. (Amazon AWS,
Microsoft, Google, IBM).
⬥ Hybrid Cloud Computing – A mix of Private and Public Cloud
Computing. An organization can choose to use Private Cloud for
sensitive information and Public Cloud for non-sensitive data.
⬥ Community Cloud Computing – Only for use by a specific community of
consumers from organizations that have shared concerns. (Mission,
policy, security requirements, and/or compliance considerations.)
As with any other outsourcing, make sure you have the right to audit, pen test (clearly agreed upon
criteria), conduct vulnerability assessment, and check that the vendor is compliant with your industry
and the standards you adhere to.
19 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ PaaS - (Platform as a Service) The vendor provides pre-configured OSs,
then the customer adds all programs and
applications.
⬥ SaaS - (Software as a
Service) The vendor
provides the OS and
applications/programs.
Either the customer
interacts with the
software manually by
entering data on the SaaS
page, or data is
automatically pushed from your other applications to the SaaS
application (Gmail, Office 365, Dropbox, Payroll).
20 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Most commonly used on torrent
networks to share music, movies,
programs, pictures, and more (The
majority without the copyright
holder’s consent).
⬥ Older versions had centralized index
servers making it easier to disrupt a
sharing network, but the current
version uses no centralized
infrastructure.
⬥ Each client is often also a server and has the index. Taking down 10,000
in a network of 100,000 will just result in a network of 90,000 with no
other discernable impact.
● Thin Clients (Boot sequence - BIOS > POST > TCP/IP > BOOTP or DHCP)
▪ Diskless Workstation (Diskless node) has all the normal hardware/firmware
except the disk, and the low-level OS (BIOS), which performs the POST. It then
downloads the kernel and higher-level OS.
▪ Thin Client Applications - We use a Web Browser to connect to the application
on a server on port 80 (HTTP) or port 443 (HTTPS). The full application is housed
and executed on the server vs. on your PC.
● Distributed systems
▪ Can also be referred to as:
⬥ Distributed computing environment (DCE), concurrent computing,
parallel computing, and distributed computing.
▪ A collection of individual systems that work together to
support a resource or provide a service.
▪ Most end-users see the DCE as a single entity and not as
multiple systems.
▪ Why do we use DCEs?
⬥ They can give us horizontal scaling (size, geography,
and administration), modular growth, fault
tolerance, cost-effectiveness, low latency (users
connect to the closest node).
▪ Where do we use DCEs?
⬥ All over the place (The internet, websites, cell
networks, research, P2P networks, blockchain, …).
21 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Most often aggregates of compute nodes in a
system designed to solve complex calculations or
manipulate data at very high speeds.
▪ HPCs have 3 components. Compute, network,
and storage.
⬥ All 3 must have enough resources to not
become a bottleneck.
▪ Most well-known versions are super computers.
● Edge computing systems:
▪ The processing of data is done as close as
possible to where it is needed, we do that by
moving the data and compute resources.
▪ This will optimize bandwidth use and lower
latency.
▪ CDN’s are one of the most common types of edge
computing.
▪ 80%+ of large enterprises have already
implemented or are in the profess of implementing an edge computing strategy.
22 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Information that can be disseminated from the electrical changes from a system
or a wire.
▪ It is possible to log a user’s keystrokes on a smart phone using the motion
sensor.
▪ It is unintentional information-bearing signals, which - if intercepted and
analyzed - can lead to a compromise.
▪ We can protect against Electromagnetic Emanations with heavy metals, but we
would have 80 lbs. (40 kgs.) laptops.
⚫ Covert Channels – Creates the capability to transfer information using channels not
intended to do so.
▪ Covert Timing Channels: Operations that affect the "real response time
observed" by the receiver.
⬥ Most common is username/password - wrong username takes 100ms to
confirm, wrong password takes 600ms to confirm, you get the "Wrong
username or password" error, but an attacker can tell when they use a
correct username because of the delay difference.
▪ Covert Storage Channels: Hidden information through the modification of a
stored object.
⬥ Certain file sizes have a certain meaning.
⬥ Attackers can add data in payload if outbound ICMP packets (Unless we
need it, block outbound ICMP packets).
▪ Steganography - Hiding a message within another media (invisible ink and the
hidden clues in da Vinci's paintings).
⬥ The messages can be hidden in anything really,
most commonly images and soundtracks.
⬥ On images like this one, the program changes the
shading of some of the pixels of the image. To the
naked eye, it is not noticeable, but a lot of
information can be hidden in the images this way.
⬥ Hidden in the bottom image is the first chapter of
Great Expectations (Charles Dickens, 1867 Edition
- 4 pages at font size 11, 1827 words, 7731
characters).
▪ Digital Watermarks encode data into a file.
⬥ The watermark may be hidden, using
steganography, or visible watermarks.
⬥ Often used to fingerprint files (the file is
identified as yours).
23 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Malware
▪ Malware (Malicious Code) - This is the catch-all name for any malicious
software used to compromise systems or data.
⬥ Viruses - require some sort of human interaction and are often
transmitted by USB sticks or other portable devices.
When the program is executed, it replicates itself by inserting its
own code into other programs.
🞂 Macro (document) Viruses: Written in Macro Languages,
embedded in other documents (Word, Outlook).
🞂 Boot Sector Viruses:
Infect the boot sector
or the Master Boot
Record, ensuring
they run every time
the PC boots.
🞂 Stealth Viruses: Try
to hide themselves
from the OS and
antivirus software.
🞂 Polymorphic Viruses:
Change their signature to avoid the antivirus signature
definitions.
🞂 Multipart (Multipartite) Viruses: Spread across multiple vectors.
They are often hard to get rid of because even if you clean the
file infections, the virus may still be in the boot sector and vice-
versa.
⬥ Worms - spread through self-propagation - they need no human
interaction; they do both the payload damage and replicate through
aggressive network use (also makes them easier to spot).
⬥ Trojans - malicious code embedded in a program that is normal. This
can be games, attachments, website clicks, etc. …
⬥ Rootkits - Replace some of the OS/Kernel with a malicious payload. User
rootkits work on Ring 3 and Kernel rootkits on Ring 0.
⬥ Logic Bombs - Malicious code that executes at a certain time or event -
they are dormant until the event (IF/THEN).
🞂 IF Bob is not getting an annual bonus over $10,000, THEN
execute malicious code.
🞂 IF date and time is 5/15/18 00:02:12, THEN execute malicious
code.
24 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Packers – Programs to compress
*.exe files, which can be used to
hide malware in an executable,
neutral technology.
⬥ Antivirus Software - tries to protect
us against malware.
🞂 Signature based - looks for
known malware signatures -
MUST be updated
constantly.
🞂 Heuristic (Behavioral) based - looks for abnormal behavior - can
result in a lot of false positives.
▪ Server (Service) Side Attacks:
⬥ Attacks directly from an attacker to a target.
⬥ Defense in Depth can mitigate some of these.
⬥ The term "Server" does not mean only servers, just that the attack is
directly aimed at the end target. (They come to you).
▪ Client-Side Attacks:
⬥ The client initiates, then gets infected with malicious content usually
from web browsers or instant messaging applications. (You go to them).
⬥ Since most firewalls protect inbound mostly, client-side attacks are
often more successful.
● OWASP (Open Web Application Security Project) 2021 - has a Top 10 of the most
common web security issues.
▪ A01:2021-Broken Access Control
▪ A02:2021-Cryptographic Failures
▪ A03:2021-Injection
▪ A04:2021-Insecure Design
▪ A05:2021-Security Misconfiguration
▪ A06:2021-Vulnerable and Outdated Components
▪ A07:2021-Identification and Authentication Failures
▪ A08:2021-Software and Data Integrity Failures
▪ A09:2021-Security Logging and Monitoring Failures
▪ A10:2021-Server-Side Request Forgery
25 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● XML (Extensible Markup Language) is a markup language designed as a standard way to
encode documents and data.
▪ It is similar to HTML, but more universal.
▪ It is mainly used for Web but does not have to be, it can be used to store
application configuration, output from auditing tools, and many other things.
● SOA (Service-Oriented Architecture) is a style of software design where services are
provided to the other components by application components, through a
communication protocol over a network.
▪ The basic principles of service-oriented architecture are independent of
vendors, products, and technologies.
▪ SOA is intended to allow multiple different applications to be consumers of
services.
⮚ Database Security
● Polyinstantiation (Alternative Facts) – Two (or more) instances of the same file
depending on who accesses it.
▪ The real information may be available to subjects with Top Secret clearance, but
different information will be available to staff with Secret or lower clearance.
● Aggregation is a collection or gathering of data together for the purpose of statistical
analysis. (You see the bigger picture rather than the individual pieces of data).
● Inference requires deducing from evidence and reasoning rather than from explicit
statements.
● Data mining is the computing process of discovering patterns in large data sets.
▪ It uses methods combining machine learning, statistics, and database systems.
● Data Analytics is looking at what normal operations look like, then allowing us to
identify abuse more proactively from insider threats or compromised accounts.
We mitigate the attacks with Defense in Depth (again) – We secure the building, the entrances,
the doors, the network, the servers, the OS, the DB, screen the employees, … We have solid
policies, procedures, standards, and guidelines.
⮚ Mobile Security
● The more external devices we connect, the more complex policies, procedures, and
standards we need.
● Mobile devices are really anything “mobile” – External hard disks, USB drives, CDs,
laptops, cell phones,...
● Most internal threats are not malicious people. They just don’t know any better, didn’t
think about it or figured they wouldn’t get found out.
● Good security policies should lock down USB ports, CD drives, network ports, wireless
networks, disable autorun on media, use full disk encryption, have remote wipe
capabilities, raise user awareness training on where (if anywhere) mobile devices are
allowed. (Defense in Depth)
26 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Cell phones are the mobile devices most often lost – Current Android and iOS phones all
have full disk encryption.
▪ We can add a lot more features to our
company cell phones to make them more
secure.
▪ Remote wipe, find my device, lock after x
minutes, number of failed passwords, disable
removable storage, …
▪ We can also use a centralized management
system: MDM (Mobile Device Management)
controls a lot of settings.
⬥ App Black/White list, Storage
Segmentation, Remote Access Revocation, Configuration Pushes,
Backups.
⬥ More controversial: Track the location of employees, monitor their data
traffic and calls.
27 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ PLC (Programmable Logic Controllers) is an industrial digital computer which has
been ruggedized and adapted for the control of manufacturing processes such
as assembly lines, robotic devices or any activity that requires high reliability
control, ease of programming and process fault diagnosis.
▪ DNP3 (Distributed Network Protocol)
⬥ A set of communications
protocols used between
components in process
automation systems.
⬥ Mainly used in utilities
such as electric and water
companies.
⬥ It plays a crucial role in
SCADA systems, where it is
used by SCADA Master Stations (Control Centers), Remote Terminal
Units (RTUs), and Intelligent Electronic Devices (IEDs).
⬥ It is primarily used for communications between a master station and
RTUs or IEDs.
● Definitions:
▪ Cryptology is the science of securing communications.
▪ Cryptography creates messages where the meaning is hidden.
▪ Cryptanalysis is the science of breaking encrypted communication.
⬥ Cryptanalysis is used to breach cryptographic security systems and gain
access to the contents of encrypted messages, even if the cryptographic
key is unknown.
28 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ It uses mathematical
analysis of the
cryptographic
algorithm, as well as
side-channel attacks
that do not target
weaknesses in the
cryptographic
algorithms
themselves, but
instead exploit weaknesses in their implementation and the devices that
run them.
▪ Cipher is a cryptographic algorithm.
⬥ Plaintext (Cleartext) is an unencrypted message.
⬥ Ciphertext is an encrypted message.
⬥ Encryption converts the plaintext to a ciphertext.
⬥ Decryption turns a ciphertext back into a plaintext.
▪ Book Cipher - Use of a well-known text (Often a book) as the key.
⬥ Messages would then look like 244.2.13, 12.3.7, 41.42.1. ...
⬥ The person reviewing the message would look at page 244, sentence 2,
word 13, then page 12, sentence 3, word 7, page 41, sentence 42 word
1, ...
▪ Running-Key Cipher – uses a well-known text as a key as well but uses a
previously agreed upon phrase.
⬥ If we use the CISSP Code of Ethics preamble "The safety and welfare of
society and the common good..."
⬥ The sender would add the plaintext message to the letters from the key,
and the receiver would subtract the letters from the key.
⮚ Cryptography
● Mono and Polyalphabetic Ciphers:
▪ Monoalphabetic Ciphers -
Substitutes one letter for
another - "T" would be "W" for
instance - very easy to break
with frequency analysis (or Letter frequency use in English
even without).
▪ Polyalphabetic Ciphers -
Similar but uses different
starting points each round, "T"
may be "W" on first round, but
"D" on second round, more
secure, but still not very
secure.
29 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Frequency Analysis (analyzing the frequency of a certain character) – In English
“E” is used 12.7% of the time. Given enough encrypted substitution text,
you can break it just with that.
● Exclusive Or (XOR)
XOR is very useful in basic cryptography; we add a key to the
plaintext to make the ciphertext. If we have the Key, we can
decipher the Cipher text. Used in most symmetric encryption
(or at least used in the algorithm behind it).
▪ Confusion is the relationship between the plaintext and
ciphertext; it should be as random (confusing) as possible.
▪ Diffusion is how the order of the plaintext should be
“diffused” (dispersed) in the ciphertext.
▪ Substitution replaces one character for another, this provides
confusion.
▪ Permutation (transposition) provides confusion by
rearranging the characters of the plaintext.
30 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
but the inner disk is turned in a pre-agreed upon direction and turns every X
number of letters (decoder rings).
▪ Enigma - Rotary based. Used 3 rotors early on, which was
broken, so the Germans added 1 rotor, making it much
harder. Breaking the Enigma was responsible for ending
the war early and saving millions of lives.
▪ Purple (US name) - Japanese rotary based, very similar to
the Enigma.
⬥ Broken by the US, England, and Russia (3 rotors).
⬥ When the Russians learned Japan was not
attacking them, they moved the majority of their
eastern troops to Moscow to fight the
Germans. They had decoded that Japan
was going for Southeast Asia
▪ One-Time Pad:
⬥ Cryptographic algorithm where plaintext is
combined with a random key.
⬥ It is the only existing mathematically
unbreakable encryption.
🞂 While it is unbreakable it is also very
impractical.
🞂 It has ONE use per pad; they should
never be reused.
🞂 Characters on the pad have to be truly random.
🞂 The pads are kept secure.
▪ Vernam Cipher (The first known use of a one-time pad).
⬥ It used bits, and the bits were XORed to the plaintext bits.
▪ Project VENONA was a project by the US and the UK to break the KGB’s
encryption from 1943 to 1980.
⬥ The KGB used one-time pads (unbreakable if not reused) for sensitive
transmissions.
⬥ The KGB reused pads, many messages were decoded, leading to the
arrest of many high-profile US residents.
▪ The Jefferson Disk (Bazeries Cylinder) - is a cipher system using a set of wheels
or disks, each with the 26 letters of the alphabet arranged around the edge.
Jefferson (US president) invented it, and Bazeries
improved it.
⬥ The order of the letters is different for
each disk and is usually scrambled in some
random way.
⬥ Each disk is marked with a unique
number.
⬥ A hole in the center of the disks allows
them to be stacked on an axle.
31 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ The disks are removable and can be mounted on the axle in any order
desired.
⬥ The order of the disks is the cipher key, and both sender and receiver
must arrange the disks in the same predefined order.
⬥ Jefferson's device had 36 disks.
▪ SIGABA:
⬥ A rotor machine used by the United States
throughout World War II and into the
1950s, similar to the Enigma.
⬥ It was more complex, and was built after
examining the weaknesses of the Enigma.
⬥ No successful cryptanalysis of the machine
during its service lifetime is publicly
known.
⬥ It used 3x5 sets of rotors.
⬥ The SIGABA was very large, heavy, expensive, difficult to operate,
mechanically complex, and fragile.
● With the common use of Cryptography, many governments realized how important it
was that cryptographic algorithms were added to export restrictions in the same
category as munitions.
▪ COCOM (Coordinating Committee of Multilateral Export Controls) 1947 – 1994.
⬥ Was used to prevent the export of "Critical Technologies" from
“Western” countries to the "Iron Curtain" countries during the cold war.
⬥ Encryption is considered "Critical Technologies"
▪ Wassenaar Arrangement - 1996 – present.
⬥ Similar to COCOM, but with former "Iron Curtain" countries being
members
⬥ Limits exports on military and "dual-use” technologies. Cryptography is
part of that.
⬥ Some nations also use it to prevent their citizens from having strong
encryption (easier to spy on your own people if they can't use strong
cryptography).
32 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Uses Asymmetric encryption to share a Symmetric Key (session key).
⬥ We use the security over an unsecure media from Asymmetric for the
initial exchange and we use the speed and higher security of the
Symmetric for the actual data transfer.
⬥ The Asymmetric Encryption may send a new session key every so often
to ensure security.
● Symmetric Encryption:
▪ DES - Data Encryption Standard (Single DES).
⬥ For the exam it may be called DEA (algorithm) or DES (standard)
⬥ No longer secure and it has multiple attack vectors published.
⬥ Symmetric – 64-bit block cipher – 56-bit key, 16 rounds of encryption,
uses Feistel.
DES has 5 different modes it can encrypt data with, they include: Block, Stream,
Initialization Vector and if encryption errors propagate to the next block.
⬥ ECB (Electronic Code Book) - The simplest and weakest, no initialization
vector or chaining.
🞂 2 separate encryptions with same plaintext would produce
identical ciphertext.
⬥ CBC (Cipher Block Chaining) - Uses initialization vectors and chaining.
🞂 The first block uses an initial Vector and every subsequent block
uses XOR from the first block
🞂 The weakness is an encryption error which will propagate
through all blocks after the error since they build on each other,
breaking integrity.
⬥ CFB (Cipher Feedback) Very similar to CBC, but uses stream cipher, not
block.
🞂 It uses feedback (chaining in a stream cipher), initialization
vector and it has the same error propagation.
⬥ OFB (Output Feedback) Similar to CFB, but instead of the previous
ciphertext for the XOR it uses the subkey before it is XORed to the
plaintext.
🞂 Doing it this way makes the encryption errors NOT propagate.
⬥ CTR (Counter) - Similar to OFB, but it uses the Feedback differently, the
way it uses the Feedback can be simple as ascending numbers.
🞂 First block XORed with 1, second block with 2, third block with
3, since the Feedback is predictable it can be done in parallel.
▪ 3 DES (Triple DES):
⬥ Was developed to extend life of DES systems while getting ready for
AES.
⬥ Symmetric – 64-bit block cipher – 56-bit key, 16 rounds of encryption,
uses Feistel.
⬥ 3 rounds of DES vs 1.
🞂 K1 (keymode1) - 3 different keys with 112-bit key strength.
🞂 K2 (keymode2) - 2 different keys with 80-bits and 1/3 same key.
33 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 K3 (keymode3) – Same key 3 times, just as insecure as DES
(encrypt/decrypt/encrypt).
⬥ Considered secure until 2030 and still commonly used (K1).
▪ IDEA (International Data Encryption Algorithm):
⬥ Designed to replace DES.
⬥ Symmetric, 128-bit key, 64-bit block size, considered safe.
⬥ Not widely used now since it is patented and
slower than AES.
▪ AES - Advanced Encryption Standard (Rijndael).
⬥ Symmetric.
⬥ Considered secure.
⬥ Open source.
⬥ Uses both transposition and substitution.
⬥ Widely used today.
⬥ AES operates on a 4 × 4 column-major order
matrix of bytes.
⬥ Initial Round:
🞂 AddRoundKey — each byte is combined with a block of the
round key using bitwise XOR.
⬥ Rounds:
🞂 SubBytes — a non-linear substitution
step where each byte is replaced with
another according to a lookup table.
🞂 ShiftRows — a transposition step
where the last three rows of the state
are shifted a certain number of steps.
🞂 MixColumns — a mixing operation
which operates on the columns,
combining the four bytes in each
column.
⬥ Final Round (no MixColumns):
🞂 SubBytes
🞂 ShiftRows
🞂 AddRoundKey
⬥ The key size used for an AES
cipher specifies the number of
repetitions of transformation
rounds that convert the plaintext
into the ciphertext.
⬥ The number of cycles depends on
the key length:
🞂 10 cycles for 128-bit
keys.
🞂 12 cycles for 192-bit keys.
34 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 14 cycles for 256-bit keys.
35 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Asymmetric Encryption uses 2 keys: A Public Key and a Private Key (Key Pair).
⬥ Your Public Key is publicly available.
🞂 Used by others to encrypt messages sent to you. Since the key is
asymmetric, the cipher text can't be decrypted with your public
Key.
⬥ Your Private Key - You keep this safe.
🞂 You use it to decrypt messages sent with your public key.
⬥ Also used for digital signatures, slightly reversed.
⬥ You encrypt with your private key and the recipient decrypts with your
public key.
▪ Prime Number Factorization:
⬥ Factoring large Prime numbers using a one-way factorization - It is easy
to multiply 2 numbers, but hard to discern the 2 numbers multiplied
from the result.
⬥ 1373 x 8081 = 11095213 - It will be hard to tell which numbers were
multiplied to get 11095213.
⬥ Between 1 and 10,000 there are 1229 prime numbers, and strong
encryption uses much higher prime numbers.
▪ Discrete Logarithms:
⬥ Another one-way function - this one uses Logarithms, which is the
opposite of exponentiation.
⬥ 5 to the 12th power = 244140625 but asking 244140625 is 5 to the what
power is much harder.
⬥ Discrete Logarithms apply the concept to groups, making them much
harder so solve.
▪ RSA cryptography
⬥ New keypair from very large prime numbers - creates public/private key
pair.
⬥ Used to exchange symmetric keys, it is slow, and the algorithm was
patent protected (1977-1997 - 20 years).
⬥ Asymmetric, 1094-4096bit key, Considered secure.
⬥ RSA-704 uses these 2 prime numbers, remember I said LARGE prime
numbers were factorized:
8143859259110045265727809126284429335877899002167627883200
914172429324360133004116702003240828777970252499
9091213529597818878440658302600437485892608310328358720428
512168960411528640933367824950788367956756806141
⬥ They then produce this result, and while this number is known, figuring
out the 2 prime numbers is very difficult:
7403756347956171282804679609742957314259318888923128908493
6232638972765034028266276891996419625117843995894330502127
5853701189680982867331732731089309005525051168770632990723
96380786710086096962537934650563796359
36 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Diffie–Hellman (DH) key exchange is a method of securely exchanging
cryptographic keys over a public channel and was one of the first public-key
protocols.
⬥ It is one of the earliest practical examples of public key exchange
implemented within the field of cryptography.
⬥ The Diffie–Hellman key exchange method allows two parties that have
no prior knowledge of each other to jointly establish a shared secret key
over an insecure channel.
🞂 This key can then be used to encrypt subsequent
communications using a symmetric key cipher.
▪ Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete
Logarithms applied to elliptical curves. Much stronger per bit than normal
discrete Logarithms.
⬥ Often found on low-power devices since they can use shorter key
lengths and be as secure.
⬥ Patented, so less used since it is patented and costs money to use, 256-
bit ECC key is just as strong as a 3,072-bit RSA key.
▪ ElGamal is an asymmetric key encryption algorithm for public-key cryptography
which is based on the Diffie–Hellman key exchange. ElGamal encryption is used
in the free GNU Privacy Guard software, recent versions of PGP, and other
cryptosystems.
▪ DSA (Digital Signature Algorithm) uses a different algorithm for signing and
encryption than RSA, yet provides the same level of security. Key generation has
two phases.
⬥ The first phase is a choice of algorithm parameters which may be shared
between different users of the system, while the second phase
computes public and private keys for a single user.
⬥ DSA is a variant of the ElGamal signature scheme, which should not be
confused with ElGamal encryption.
▪ Knapsack (Merkle–Hellman knapsack cryptosystem) is one-way.
⬥ The public key is used only for encryption, and the private key is used
only for decryption, making it unusable for authentication by
cryptographic signing.
⬥ No longer secure.
37 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ While not a chosen-text collision, it is still a collision.
⬥ Still widely used.
▪ MD6 (Message Digest 6):
⬥ Was not used for very long; was supposed to replace MD5, but SHA2/3
were better.
⬥ It was in the running for the SHA3 race but withdrawn due to flaws.
38 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Salt (Salting):
⬥ Random data that is used as an additional input to a one-way function
that "hashes" a password or passphrase.
⬥ Salts are very similar to nonces.
⬥ The primary function of salts is to defend
against dictionary attacks or a pre-
compiled rainbow table attack.
▪ Nonce: (arbitrary number that may only be used
once):
⬥ It is often a random or pseudo-random
number issued in an authentication protocol to ensure that old
communications cannot be reused in replay attacks.
⬥ They can also be useful as initialization vectors and in cryptographic
hash function.
● Cryptographic Attacks
▪ Steal the Key: Modern encryption being so difficult to break, it is easier to
recover the private key.
⬥ Law enforcement does this when they get search warrants, to recover
the private key from the PC or phone of someone charged with a crime.
⬥ Attackers do this by gaining access to your system or key repository;
they can then decrypt your data.
▪ Brute Force:
⬥ Uses the entire key space (every possible key); with enough time, any
plaintext can be decrypted.
⬥ Effective against all key-based ciphers except the one-time pad; it would
eventually decrypt it, but it would also generate so many false positives
that the data would be useless.
▪ Key stretching: Adding 1-2 seconds to password verification.
⬥ If an attacker is brute forcing password and needs millions of attempts,
it will become an unfeasible attack vector.
▪ Digraph attack: Similar to frequency analysis/attacks, but looks at common
pairs of letters (TH, HE, IN, ER).
▪ Man-in-the-Middle Attack (MITM):
⬥ The attacker secretly relays and may alter
communication between two parties, who
believe they are directly communicating
with each other.
⬥ The attacker must be able to intercept all
relevant messages passing between the
two victims.
⬥ They can alter the information, just steal it
or inject new messages.
▪ Session Hijacking (TCP Session Hijacking):
39 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ An attacker takes over a web user’s session ID and masquerades as the
authorized user.
⬥ Once the session ID has been accessed, through session prediction the
attacker pretends to be the user, and as that user, can do anything the
user is authorized to do on the network.
▪ Social Engineering
⬥ Much easier than breaking the key is convincing the key holder to hand
it over to the “help desk”.
FREE ICECREAM!
🞂 A very successful social
engineering attack was a
Pen-Test company
driving up in front of a
company office
with "Free Ice Cream”
and company logo signs
on an ice cream van.
🞂 The employees had to
enter their username
and password to ‘prove’
they were real
employees. They were rewarded with an “approved" message
and got their free ice cream.
🞂 The Pen-Testers got 90%+ of the employees’ usernames and
passwords from those who were there that day.
▪ Rainbow Tables:
⬥ Pre-made list of plaintexts and matching ciphertexts.
⬥ Often Passwords and matching Hashes, a table can contain 1,000,000s
of pairs.
▪ Known Plaintext:
⬥ You know the plaintext and the ciphertext and using those, you try to
figure out the key.
▪ Chosen Plaintext:
⬥ Similar to Known Plaintext, but the attacker chooses the plaintext, then
tries to figure out the key.
▪ Adaptive Chosen Plaintext:
⬥ Same as Chosen Plaintext, the attacker “adapts" the following rounds
dependent on the previous rounds.
▪ Meet-in-the-Middle:
⬥ A known plaintext attack, the intruder has to know some parts of
plaintext and their ciphertexts used to break ciphers which have two or
more secret keys for multiple encryptions using the same algorithm.
▪ Known Key - (Not really known, because if it was, the attacker would have the
key).
40 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ The attacker knows 'something' about the key, making it easier to
break.
⬥ The password could be exactly 8 characters, first character has to be
upper case and last has to be a number.
▪ Differential Cryptanalysis:
⬥ Tries to find the “difference" between the related plaintexts; if the
plaintexts are only a few bits different, can we discern anything? Can we
see non-randomness?
⬥ The same bit should have a 50/50 chance of flipping; areas where this is
not so can be a clue to the key.
▪ Linear Cryptanalysis:
⬥ A type of known plaintext attack where the attacker has a lot of
plaintext/ciphertext pairs created with the same key.
⬥ The attacker studies the pairs to learn information about the key used
to create the ciphertext.
▪ Differential Linear Cryptanalysis is Differential and Linear Cryptanalysis
combined.
▪ Side Channel Attacks:
⬥ Attackers use physical data to break a crypto system. This can be CPU
cycles, power consumption while encrypting/decrypting, ...
▪ Implementation Attacks:
⬥ Some vulnerability is left from the implementation of the application,
system or service.
⬥ It is almost always easier to find a flaw in the system than to break the
cryptography.
⬥ Is the key stored somewhere in plaintext? Is the key stored somewhere
not very secure? Is anything stored in memory?
▪ Key Clustering:
⬥ When 2 different Symmetric Keys used on the same plaintext produce
the same ciphertext, both can decrypt ciphertext from the other key.
▪ Pass the Hash:
⬥ If an attacker obtains a hashed password, they can gain access to the
system by using the stolen hash and the user ID.
▪ Kerberos exploitation:
⬥ Overpass the Hash or Pass the Key.
🞂 Similar to PtH but used when NTLM is disabled on a network.
🞂 Even when NTLM is disabled, the systems generate an NTLM
hash and store it in memory.
🞂 The attacker requests a TGT with the user's hash to gain access
to network resources.
⬥ Pass the Ticket:
🞂 The attackers attempt to collect tickets held in the lsass.exe
process.
🞂 The attackers then inject the ticket impersonating the user.
⬥ Silver Ticket:
41 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 The attacker uses the NTLM hash of a service account to make a
ticket-granting service (TGS) ticket.
🞂 Service accounts use TGS tickets instead of TGT tickets.
🞂 The silver ticket gives the attacker all the privileges granted to
that specific service account.
⬥ Golden Ticket:
🞂 The attacker gains access to the hash of the Kerberos service
account and can create any tickets they want within Active
Directory.
🞂 The account signs and encrypts all Kerberos tickets on a domain
with a hash of its own password.
🞂 The password never changes, meaning the hash also never
changes.
⬥ Kerberos Brute-Force:
🞂 Attackers can guess passwords and usernames by using the
Python script kerbrute.py on Linux or Rubeus on Windows
because Kerberos will report whether a username is valid or
not.
⬥ ASREPRoast:
🞂 Used to identify users who do not have Kerberos pre-
authentication enabled.
🞂 Pre-authentication can help to prevent password guessing
attacks.
🞂 If pre-authentication is not enabled, the attacker sends an
authentication request to the KDC.
🞂 The KDC replies with a TGT, encrypted with the client's
password.
🞂 This enables the attacker to decrypt the ticket and the client's
password using offline attacks.
⬥ Kerberoasting:
🞂 The attacker collects encrypted TGS tickets (because these are
for service accounts, it is TGS rather than TGT).
🞂 When enough are collected, the attacker can try to decrypt
them offline.
🞂 Services running in the context of user accounts would use a
TGS ticket.
🞂 The attacker is trying to find users that don't have Kerberos pre-
authentication enabled on their accounts.
▪ Fault injection
⬥ The attacker is trying to compromise the integrity of cryptographic
devices by introducing external faults.
⬥ Active side-channel attacks, trying to stress the device.
⬥ Power (high/low), temperature, and light are all potential factors.
42 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Implementing Cryptography:
▪ PKI (Public Key Infrastructure):
⬥ Uses Asymmetric and Symmetric Encryption as well as Hashing to
provide and manage digital certificates.
⬥ To ensure PKI works well, we keep the private key secret.
⬥ We also store a copy of the key pair somewhere central and secure (key
repository).
⬥ We have policies in place that require 2 Security Administrators to
retrieve the key pair (if only 1 person did it, chances of key compromise
would be higher).
⬥ If users lose their private key and if no key repository is kept, anything
encrypted with the public key is inaccessible.
▪ Key Escrow:
⬥ Keys are kept by a 3rd party organization (often law enforcement).
▪ Digital Signatures:
Provides Integrity and Non-
Repudiation.
I want to send an email to Bob.
🞂 My email is Hashed, the hash
is encrypted with my private
key (the encrypted Hash is my
Digital Signature), I attach the
signature to the email and
send it.
🞂 Bob receives it, he generates
a hash, and decrypts my
signature with my public key. If the hash he generated and the
hash he unencrypted match, the email is not altered.
⬥ Digital certificates are public keys signed with a digital signature.
🞂 Server based - SSL for instance – is assigned to the server
(stored on the server).
🞂 Client based - Digital Signature – is assigned to a person (stored
on your PC).
🞂 CA (Certification Authority):
🞂 Issues and revokes certificates.
🞂 Can be run internally in your organization or in public
(Verisign or GoDaddy, for instance).
🞂 ORA (Organizational Registration Authorities):
🞂 Done within an organization.
🞂 Authenticates the certificate holder prior to certificate
issuance.
🞂 CRL (Certification Revocation List):
🞂 Maintained by the CA.
43 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Certificates are revoked if a private key is compromised,
if an employee leaves the organization, etc.
🞂 Server side, starting to be replaced by OCSP
(client/server-side hybrid).
🞂 OCSP (Online Certification Status Protocol):
🞂 Client/server hybrid, better balance, faster, keeps lists
of revoked certificates.
▪ The Clipper chip was a chipset that was developed and promoted by the United
States National Security Agency (NSA) as an encryption device that “secured”
voice and data messages with a built-in backdoor.
⬥ It was intended to be adopted by telecommunications companies for
voice/data transmission but was abandoned after public outcry and was
later found to have many security flaws (it used Skipjack).
▪ MAC (Message Authentication Code) – The exam uses MAC for several
concepts; it will be spelled out which one it is.
⬥ Hash function using a key.
⬥ CBC-MAC, for instance, uses Cipher Block Chaining from a symmetric
encryption (like DES).
⬥ Provides integrity and authenticity.
▪ HMAC (Hashed Message Authentication Code) combines a shared key with
hashing.
⬥ A pre-shared key is exchanged.
⬥ The sender uses XOR to combine the plaintext with a shared key, then
hashes the output using a hashing algorithm (Could be HMAC-MD5 or
HMAC-SHA-1).
⬥ That hash is then combined with the key again, creating an HMAC.
⬥ The receiver does the same and compares their HMAC with the sender’s
HMAC.
⬥ If the two HMACs are identical, the sender is authenticated.
▪ SSL and TLS – Confidentiality and
Authentication for web traffic.
Cryptographic protocols for web
browsing, email, internet faxing,
instant messaging, and VOIP. You
download the server’s digital
certificate, which includes the
site’s public key.
⬥ SSL (Secure Socket Layer) -
Currently on v3.0.
🞂 Mostly used for web
traffic.
⬥ TLS (Transport Layer Security)
- More secure than SSL v3.0.
44 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Used for securing web traffic (less common).
🞂 Used for internet chat and email client access.
45 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Provides privacy and authentication for data communication. Can
provide confidentiality, integrity, authentication, and non-repudiation.
⬥ PGP is used for signing, encrypting, and decrypting texts, e-mails, files,
directories, and whole disk partitions, and to increase the security of e-
mail communications.
⬥ PGP uses a serial combination of hashing, data compression, symmetric-
key cryptography, and finally public-key cryptography; each step uses
one of several supported algorithms.
⬥ Uses a Web of Trust model to authenticate digital certificates, if you
trust me, you trust everyone I trust.
▪ MIME (Multipurpose Internet Mail Extensions) provides a standard way to
format email, including characters, sets, and attachments.
▪ S/MIME (Secure/MIME) uses PKI to encrypt and authenticate MIME-encoded
email.
⬥ The client or client’s email server (called an S/MIME gateway) can
perform the encryption.
⮚ Physical Security
As part of physical security, we also design "Design-in-Depth" into our plan.
▪ Preventative Controls:
⬥ Prevents action from happening – Tall fences, locked doors, bollards.
▪ Detective Controls:
⬥ Controls that detect an attack (before, during or after) – CCTV, alarms.
▪ Deterrent Controls:
⬥ Controls that deter an attack – fences, security guards, dogs, lights,
Beware of the Dog signs.
▪ Compensating Controls:
⬥ Controls that compensate for other controls that are impossible or too
costly to implement. We may not be able to move our datacenter or
change the foundation, but we can add absorbers under the sub-floor,
in the racks, …
▪ Administrative Controls:
⬥ Controls that give us administrative framework – compliance, policies,
procedures.
46 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Perimeter defense:
▪ Fences (Deterrence, Preventative):
⬥ Smaller fences such as 3ft. (1m) can be a deterrence, while
taller ones, such as 8ft. (2.4m) can be a prevention
mechanism.
⬥ The idea of the fences is to ensure entrance/exits from the
facility happen through only a few entry points (doors,
gates, turnstiles).
▪ Gates (Deterrence, Preventative):
⬥ Placed at control points at the perimeter.
⬥ Used with the fences to ensure access only happens
through a few entry points.
⬥ ASTM Standard:
🞂 Class I Residential (your house)
🞂 Class II Commercial/General Access (parking garage).
🞂 Class III Industrial/Limited Access (loading dock for 18-wheeler
trucks).
🞂 Class IV Restricted Access (airport or prison).
▪ Bollards (Preventative):
⬥ Used to prevent cars or trucks from entering an
area while allowing foot traffic to pass.
⬥ Often shops use planters or similar; it looks
prettier but achieves the same goal.
⬥ Most are static heavy-duty objects, but some
cylindrical versions can also be electronically
raised or lowered to allow authorized traffic past
a "no traffic" point. Some are permanent fixtures
and can be removed with a key or other unlock
functions.
▪ Lights (Detective and Deterrence):
⬥ Lights should be used to fully illuminate the entire
area.
⬥ Lights can be static, motion activated (static) or
automatic/manual Fresnel lights (search lights).
⬥ Measured in lumen - 1 lumen per square foot or
lux - 1 lumen per square meter more commonly used.
▪ CCTV (Closed Circuit Television) (Detective, Deterrence) - used to monitor the
facility’s perimeter and inside it.
47 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Older cameras are analog and use video tapes for storage (often VHS);
quality is often bad, unclear.
⬥ Modern cameras are digital and
use CCD (Charged Couple
Discharge); also use a DVR (Digital
Video Recorder).
⬥ Organizations may have retention
requirements either from policies
or legislation that require a certain
retention of their video (this could
be bank ATM, data center or entry
point footage).
⬥ Cameras can be either static or non-static (automatic or manual).
🞂 We have all seen the spy or heist movies where they avoid them
by knowing the patterns and timers.
🞂 This risk can be mitigated with a randomizer or pseudo
randomizer, we want to ensure full coverage.
▪ Locks (Preventative):
⬥ Key locks:
🞂 Requires a physical key to unlock;
keys can be shared/copied.
🞂 Key Bitting Code (How far the key is
bitten down for that section.) – Can
be copied and replicated without the
key from either the numbers or a
photo of it.
🞂 Pin Tumbler Lock (or Yale lock) – A
lock mechanism that uses pins of
varying lengths to prevent
the lock from opening without the correct key.
🞂 Lock Picking - with a lock pick set
or bumping, opening a lock without
the key.
🞂 Any key lock can be picked
or bumped, how long it
takes depends on the
quality of the lock.
🞂 Lock pick sets lift the pins
in the tumbler, opening the
lock.
48 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Lock Bumping - Using a shaved-down key that matches the lock,
the attacker “bumps“ the key handle with a hammer or
screwdriver which makes the pins jump, then the attacker
quickly turns the key.
🞂 Master Keys open any lock in a given area or
security zone.
🞂 Both who has them and where they are
kept should be very closely guarded at
all times.
🞂 Core Key is used to remove a lock core in
"interchangeable core locks."
🞂 An interchangeable core, or IC, is a
compact keying mechanism in a specific
figure-eight shape.
🞂 Relies upon a specialized "control" key for insertion and
extraction of the core.
🞂 Should be kept secure and access should be very
restricted.
⬥ Combination Locks:
🞂 Not very secure and have limited accountability even
with unique codes.
🞂 Should be used for low security areas.
🞂 Can be Dial type (think safe), Button
or Keypad.
🞂 Very susceptible to brute force,
shoulder surfing and are often
configured with weak security (I
know of a good deal of places where
the code is the street number).
🞂 Over time, the buttons used for the
code will have more wear and tear.
🞂 For 4-number PIN where 4 keys are used, the possible
combinations are no longer 10,000, but 256; if 3 keys, then 81
options.
▪ Smart Cards (contact or contactless):
⬥ They contain a computer circuit, using ICC
(Integrated Circuit Card).
⬥ Contact Cards - Inserted into a machine to be
read.
🞂 This can be credit cards you insert into
the chip reader or the DOD CAC
(Common Access Card).
⬥ Contactless Cards - can be read by proximity.
🞂 Key fobs or credit cards where you just hold it close to a reader.
49 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 They use an RFID (Radio Frequency Identification) tag
(transponder) which is then read by an RFID Transceiver.
▪ Magnetic Stripe Cards:
⬥ Swiped through a reader, no circuit.
⬥ Very easy to duplicate.
▪ Tailgating/Piggybacking:
⬥ Following someone authorized into an area you are not authorized to
be in.
⬥ Often combined with Social Engineering.
⬥ It is easy to do if your reason for being there seems plausible.
⬥ Bring a lot of food, a cake, and some balloons, have on clothes, ID badge
and tools that a repairman would, the options are endless.
▪ Mantrap:
⬥ A Mantrap is a room with 2 doors; Door 1 must close completely before
Door 2 can be opened.
⬥ Each door has a different authentication method (something you know,
something you have, something you are).
⬥ They can at times use weight sensors - Bob weighs 220lbs (100kg), the
weight measured by the pressure plate is 390lbs (177kg), someone is
probably in the room with Bob. Door 2 won’t open
until Bob is confirmed alone in the Mantrap with a
cart of old servers, normally done by the cameras in
the trap.
▪ Turnstiles (Preventative, Deterrence):
⬥ Also prevents tailgating, by allowing only 1 person to
enter per Authentication (think like in US subway
systems or amusement park entries, but for secure
areas they are often floor to ceiling turnstiles with
interlocking blades).
Both Mantraps and Turnstiles should be designed to allow safe
evacuation in case of an emergency. (Remember that people
are more important to protect than stuff.)
50 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ With technology
becoming
much smaller, these
are less effective
when it comes to
data theft; it is
easy to hide a
microSD
memory card,
which can contain
up to 1TB+ of data
per card.
▪ Motion Detectors (Detective, Deterrence):
⬥ Used to alert staff by triggering an alarm (silent or not).
⬥ Someone is here, did an authorized person pass the
checkpoint?
🞂 IF yes, then log the event and do nothing else
IF no, then alert/alarm.
⬥ Basic ones are light-based - They require light, making
them not very reliable.
⬥ Ultrasound, Microwave, Infrared or Laser (pew-pew!!)
🞂 Active sensors, they send energy (sound, wave
or light).
🞂 If the sound takes less time to return or the
pattern it receives back is altered, it means
someone is somewhere they should not be.
🞂 Photoelectric motion sensors send a beam of light to a sensor, if
broken the alarm sounds. These are the pew-pew lasers and
sorry, no, they are not green or red and they are rarely visible.
▪ Perimeter Alarms:
⬥ Door/window sensors – these are the thin strips around the edges of
either or contact sensors.
🞂 If opened, an alarm sounds; if broken, same effect.
🞂 Can be circumvented, but they are part of a layered defense.
⬥ Walls, windows, doors, and any other openings should be considered
equally strong.
⬥ Walls are inherently stronger; the rest need compensating measures
implemented (locks, alarms, sensors).
⬥ Glass is normally easy to break, but can be bullet and/or explosion
proof, or have a wire mesh in the middle.
⬥ Plexiglass can also be used, as it is stronger and does not shatter, but
can be melted.
⬥ Door hinges should always be on the inside (or hidden in the door).
51 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Just like the turnstiles and mantraps, doors (and in some cases
windows) should be designed to allow safe exit from the building in case
of an emergency. Often there is a "Panic Bar" that opens the door, but
they are also connected to alarms that sound when opened (clearly
labeled Emergency Only - Alarm WILL Sound).
52 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Most often used in controlled, enclosed areas.
⬥ Liability can be an issue.
⬥ Dogs are trained to corner suspects and
attack someone who’s fleeing. People often
panic when they encounter a dog and run.
⬥ Even if they’re in a secure area, the
organization may still be liable for injuries.
⬥ Can also be internal authorized employees
walking out the wrong door or trying to take a
shortcut.
⬥ They panic and the dog attacks.
53 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Greenfield - Not built on yet,
undeveloped land.
⬥ Topography - the physical shape of the
landscape - hills, valleys, trees, streams.
Most often used at military sites where
they can leverage (sometimes by
altering) the topology for better security.
⬥ Utilities - How reliable is the power, the
internet in the area?
⬥ Crime - How high are the crime rates in the area? How close are the
police?
▪ Site Design:
⬥ Site Marking:
🞂 Do not advertise your data center’s (or other critical) locations.
🞂 The more nondescript and boring
the building is, the less attention it
gets (security through obscurity).
🞂 A determined attacker can
obviously find the information,
but the harder you make it, the
less your chances are of being
compromised.
🞂 Example: Don't name your credit card processing server
creditcard001.
▪ Wiring Closets
54 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ If shared, the other tenants have access to your network. You can lock it
down, but it is still a big security concern. I have seen a place where
one tenant had all their equipment bolted to the wall, but the wires
were exposed; it would be easy to attach a sniffer to that.
55 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 What size of generators do we need?
🞂 How large of a UPS (Uninterruptible Power
Supply) do we need? Huge battery bank
also ensures consistent voltage.
🞂 Fire Suppression:
🞂 Dry pipe vs. wet pipe.
🞂 Halon/Chemical/FM200.
🞂 Fire extinguishers.
● Asset Tracking:
Keeping an accurate inventory of all our assets is important; we can't protect
what we don't know we have. We covered this a little in our risk analysis
56 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
section, but other than identifying the assets, we also should have it as part of
our technology refresh cycle to record the Asset Serial Number, Model Number,
and often an internal Asset ID.
▪ Hardware Hardening:
⬥ On our servers - we harden the server.
🞂 Apply all patches, block ports not needed, delete default users,
… most places are good about this.
⬥ Workstations are often overlooked.
▪ Disabling the USB Ports, CD drives and any other port that can introduce
malware to our network.
⬥ Physically: Disabled on motherboard or port itself blocked, easy to
bypass - not very secure.
⬥ Logically: Locked in Windows services or through AD (Active Directory)
is not easy to bypass (if done right) - more secure.
⮚ Environmental Controls
● Electricity
It is important to have clean, reliable power for our servers, disk arrays, network
equipment.
⬥ Loss of power can affect our availability and the Integrity of our data.
⬥ Nothing can be accessed and power fluctuations can damage hardware
and corrupt data.
▪ Power Fluctuation Terms:
⬥ Blackout - Long loss
of power.
⬥ Fault - Short loss of
power.
⬥ Brownout - Long
low voltage.
⬥ Sag - Short low voltage.
⬥ Surge - Long high voltage.
57 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Spike - Short high voltage.
● HVAC:
▪ Heat:
58 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Many data centers are kept too
cold, the last decade’s research
has shown it is not needed.
⬥ Common temperature levels
range from 68–77 °F (20–25 °C) -
with an allowable range of 59–
90 °F (15–32 °C).
⬥ Keeping a data center too cold
wastes money and raises
humidity.
▪ Pressure:
⬥ Keeping positive pressure keeps outside contaminants out.
▪ Humidity:
⬥ Humidity should be kept between 40% and 60% rH (Relative Humidity).
⬥ Low humidity will cause static electricity and high humidity will corrode
metals (electronics).
▪ Drains:
⬥ Many data centers use subflooring
where water and contaminants (mostly
dust) can gather. If an HVAC unit
malfunctions, it can leak water.
⬥ It is important to have sensors in the
subfloor for both water and dust, and to
regularly vacuum the space.
● Static Electricity:
▪ Can be mitigated by proper humidity control, grounding all circuits, using
antistatic wrist straps and work surfaces.
▪ All personnel working with internal computer equipment (motherboards, insert
cards, memory sticks, hard disks) should ground themselves before working
with the hardware.
59 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
Antistatic shoes.
Not the prettiest thing I Antistatic wrist wrap.
ever saw, but effective!
60 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ All exit doors (or special emergency-only doors) have the “panic bar”
(crash bar).
⬥ Just like in the data center, we have warning sirens and lights
throughout the building to alert staff to exit.
● Personnel Safety:
▪ Early Warning Systems (Duress Warning Systems):
⬥ Warning systems are used to provide immediate
alerts to personnel/people in the event of
emergencies, severe weather, threat of violence,
chemical contamination, ...
⬥ Duress systems are mostly local and can use
overhead speakers, sirens or automated
communications like email, pagers, text messages or
automated phone calls.
● Fire Classes:
61 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
▪ Remember that the certification is
International, so answer
appropriately for the question’s
scenario, not for where you live.
▪ Answer all questions from a
management or risk advisor level and
in a top-down security organization.
▪ Appropriate fire suppression and
extinguishers should be deployed in
all areas.
🞂 Pre-Action:
62 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Single interlock: Water released into pipes when the fire
alarm goes off and when head opens.
🞂 Double interlock: Similar to Dry Pipe, water is not
released until fire alarm sounds off and the sprinkler is
open.
▪ Gases: All gas fire suppression systems must have a visible and audible
countdown so staff can exit the area.
⬥ CO2:
🞂 Should only be used in unmanned areas.
🞂 It is colorless and odorless and causes people in it to pass out
and then die.
🞂 Staff working in an area where CO2 is used should be properly
trained in CO2 safety.
⬥ Halon 1301 has been the industry standard for protecting high-value
assets from fire since the mid-1960s.
🞂 It has many benefits; it is fast-acting, safe for assets, and
requires little storage space.
🞂 It is no longer used widely because it depletes atmospheric
ozone and is potentially harmful to humans.
🞂 In some countries legislation requires the systems to be
removed; in others it is OK to use them still (with recycled
Halon), but systems have not been installed since 1994 (The
Montreal Accord).
The Montreal Accord (197 countries) banned the use and production of
new Halon. A few exceptions for “essential uses” include things like
inhalers for asthma and fire suppression systems in submarines and
aircraft.
⬥ Halon Replacements (other halocarbons and inert gases):
🞂 Argon: 50% Argon gas and 50% Nitrogen gas
🞂 FE-13 (Fluoroform): Low
toxicity, low
reactivity, and high
density. Breathable up
to 30% concentration.
🞂 FM-200 (HFC-227ea):
Low toxicity, most
are designed to provide
a concentration of 6.25-
9% heptafluoropropane.
63 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
🞂 Inergen: Nitrogen (52%), Argon (40%), and Carbon Dioxide (8%);
the air is still breathable, but the fire is put out.
🞂 Breathing is more labored due to increased CO2.
● Fire Suppression:
▪ Fire Extinguishers:
⬥ A fire extinguisher is an active fire protection
device used to extinguish or control small fires,
often in emergency situations.
⬥ All portable fire extinguishers should be
marked with the type of fire they are designed
to extinguish.
⬥ Never use a fire extinguisher on a fire it was
not intended for.
⬥ Use the PASS method to extinguish a fire with
a portable fire extinguisher:
🞂 Pull the pin in the handle.
🞂 Aim at the base of the fire.
🞂 Squeeze the lever slowly.
🞂 Sweep from side to side.
⬥ Soda-Acid Extinguishers mix a solution of water and sodium
bicarbonate with an acid (in a vial, which is broken) to expel pressurized
water onto a fire.
⬥ Dry Powder Extinguishers (sodium chloride, graphite, ternary eutectic
chloride).
🞂 Lowers the temperature and removes oxygen in the area.
🞂 Primarily used for metal fires (sodium, magnesium, graphite).
⬥ Wet Chemical (potassium acetate, potassium carbonate, potassium
citrate).
🞂 Extinguishes the fire by forming an air-excluding soapy foam
blanket over the burning oil and by the water content cooling
the oil below its ignition temperature.
64 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
● Virtualization
▪ Virtualization also poses new vulnerabilities because the technology is new-ish
and very complex.
▪ Clients on the same host should be on the same network segment
(Internal/DMZ). A host should never house both zones.
▪ Clients should be logically separated on the network like physical servers would
be (HR, Accounting, IT VLANs).
● Cloud Computing
(There is no 'Cloud‘, it is just another computer somewhere else).
▪ When we use cloud computing we build or outsources some part of our IT
Infrastructure, storage, applications.
▪ This can be done for many good reasons, but most are cost related. It is cheaper
to have someone larger or more specialized in that one area doing it for us.
▪ As with any other outsourcing, make sure you have the right to audit, pen test
(clearly agreed upon criteria), conduct vulnerability assessment, and check that
the vendor is compliant with your industry and the standards you adhere to.
● Web Architecture and Attacks
▪ The internet is a very complex place. Security is often added on as an
afterthought and not designed in as it should be.
▪ On top of that the internet was never intended to be what it is today; it was
originally designed to be a secure closed network.
● Mobile Security
▪ The more external devices we connect, the more complex policies, procedures,
and standards we need.
▪ Mobile devices are really anything
“mobile” – External hard disks, USB
drives, CDs, laptops, cell phones, ...
▪ Most internal threats are not
malicious people. They just don’t
know any better, didn’t think about it
or figured they wouldn’t get found
out.
▪ Good security policies should lock
down USB ports, CD drives, network
ports, wireless networks, disable autorun on media, use full disk encryption,
have remote wipe capabilities, raise user awareness training on where (if
anywhere) mobile devices are allowed. (Defense in Depth)
● Cryptography
▪ For the exam, what you need to know is that cryptography helps us:
⬥ Keep our secrets secret (Confidentiality) ← This is what most people
think all cryptography does.
65 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⬥ Keep our data unaltered (Integrity).
⬥ Provide a way to verify (Authentication) our Subjects; it can also
provide non-repudiation.
▪ Cryptography has been used for thousands of years to keep secrets secret.
▪ Encryption should be strong enough to be unbreakable or at least take a very
long time to break; there obviously needs to be a balance between
Confidentiality and Availability.
▪ Modular Math:
⬥ Cryptography uses a lot of modular math.
⬥ For the exam you need to know what it is, but you don't need to know
how to do it.
⬥ Numbers "wrap around" after they reach a certain value (modulus),
which is also why it is called clock math.
Adding "X" (24) to "E" (5) = "C" (3) - The English alphabet wraps around after the
26th letter (modulus).
● Hashing
Just 1 bit changed completely changes the hash.
Using Great Expectations (Charles
Dickens 1867 Edition again, 4 pages at font
size 11, 1827 words, 7731 characters).
▪ Hash#1 is the original
▪ 2b72b2c18554112e36bd0db4f27f1d89
▪ Hash#2 is with 1 comma removed
▪ 21b78d32ed57a684e7702b4a30363161
▪ Just a single “.” added will change the hash
value to
5058f1af8388633f609cadb75a75dc9d
Remember: variable-length input, fixed-length output.
● Physical Security
▪ Both Mantraps and Turnstiles should be designed to allow safe evacuation
in case of an emergency. (Remember that people are more important to
protect than stuff.)
66 | Page
https://thorteaches.com/
CISSP Domain 3 Lecture notes
⮚ What we covered in the third CBK Domain:
In this chapter we talked about how we protect our assets.
✔ How the domain has 3 major knowledge areas (prior to the 2015 exam update,
each had their own domain).
✔ Security Architecture and Design:
🞂 The common security models.
🞂 The architecture, design, virtualization, cloud, and solutions we
use to protect our assets.
🞂 How computers work (basics) and how they are logically
segmented.
🞂 Threats to our applications, systems, and devices.
✔ Cryptography:
🞂 The history of cryptography, types of encryption, hashes,
cryptography attacks, and digital signatures.
✔ Physical Security
🞂 Site and facility secure design principles, perimeter defense,
HVAC, power, and fire suppression.
67 | Page
https://thorteaches.com/