CISSP Essential Concepts

Prepared by
G. M. Faruk Ahmed, CISSP, CISA
https://www.linkedin.com/in/gmfaruk/

Core Security Concepts

CIA Triad
- Confidentiality: Prevents unauthorized disclosure of information
- Integrity: Prevents unauthorized modification of information
- Availability: Ensures authorized users can access resources when needed

Security Governance
- Policies: High-level objectives (mandatory)
- Standards: Technical requirements (mandatory)
- Procedures: Step-by-step processes (mandatory)
- Guidelines: Best practices (optional)

Risk Management
- Risk= Threat × Vulnerability
- SLE(Single Loss Expectancy)=Asset Value × Exposure Factor
- ALE (Annual Loss Expectancy)=ARO×SLE
- Risk Responses:
o Avoid: Change business practices
o Mitigate: Implement controls
o Transfer: Insurance/contracts
o Accept: Continue operations

Access Control & Identity Management

Authentication Factors
1. Something you know (Type1)- passwords
2. Something you have (Type2)- tokens
3. Something you are(Type3)- biometrics

Access Control Models

- DAC: Owner-based permissions
- MAC: System-enforced security levels
- RBAC: Role-based permissions
 - Rule of Least Privilege: Minimum necessary access
- Separation of Duties: Split critical tasks

Network Security
OSI Model Layers
1. Physical: Bits transmission
2. Data Link: MAC addresses, frames
3. Network: IP routing, packets
4. Transport: TCP/UDP, connections
5. Session: Session management
6. Presentation: Data formatting
7. Application: User interface

Key Protocols &Ports

- HTTP:80
- HTTPS:443
- FTP:20/21
- SSH: 22
- DNS:53
- SMTP:25
- SNMP:161/162

Cryptography
Types
- Symmetric: Same key for encryption/decryption
o AES,3DES
- Asymmetric: Public/private key pairs
o RSA,ECC
- Hashing: One-way functions(MD5, SHA)

Digital Certificates
- X.509 standard
- Contains public key
- Signed by Certificate Authority
- Used in PKI
Business Continuity & Disaster Recovery
Backup Types
- Full: Complete backup of all data
- Incremental: Changes since last full backup
- Differential: Changes since last full or incremental

Recovery Sites
- Hot Site: Fully equipped, immediate
- Warm Site: Partial equipment, some delay
- Cold Site: Basic facility only

Security Operations
Incident Response Steps
1. Detection
2. Response
3. Mitigation
4. Reporting
5. Recovery
6. Lessons Learned

Investigation Types
- Criminal: Beyond reasonable doubt
- Civil: Preponderance of evidence
- Administrative: Internal matters
- Regulatory: Compliance verification

Software Security
SDLC Security
- Requirements: Security requirements
- Design: Threat modeling
- Development: Secure coding
- Testing: Security testing
- Deployment: Secure configuration
- Maintenance: Patch management
Common Web Vulnerabilities
1. Injection attacks
2. Authentication issues
3. XSS(Cross-site scripting)
4. CSRF(Cross-site request forgery)
5. Access control issues

Personnel Security
Key Principles
- Need to Know: Business requirement
- Least Privilege: Minimum access
- Separation of Duties: Split sensitive tasks
- Job Rotation: Prevent fraud
- Mandatory Vacations: Detect misconduct

Physical Security
Environmental Controls
- Fire Suppression:
o Class A: Common materials
o Class B: Liquids
o Class C: Electrical
o Class D: Metals
- Power Protection:
o UPS systems
o Generators
o Surge protectors

Access Controls
- Preventive: Guards, locks
- Detective: Cameras, alarms
- Deterrent: Signs, lighting
- Compensating: Alternative controls
Domain1: Security and Risk Management
Core Security Concepts
Concept Description Key Components
CIA Triad Core security goals • Confidentiality: Prevents unauthorized disclosure
• Integrity: Prevents unauthorized modification
• Availability: Ensures timely access

Security Governance Management framework • Strategic planning

• Risk management
• Policy development
• Resource allocation

Due Care/Diligence Legal obligations • Due Care: Taking reasonable steps

• Due Diligence: Ensuring implementation
• Prudent Person Rule

Policy Framework
Type Compliance Purpose Example
Policies Mandatory High-level direction Acceptable Use Policy
Standards Mandatory Specific requirements Password complexity
Procedures Mandatory Step-by-step instructions Incident response steps
Guidelines Optional Best practices Security recommendations

Risk Management
Component Formula/Description Examples
SLE Asset Value × Exposure Factor $100,000asset×0.3=$30,000
ALE ARO×SLE 0.1×$30,000 =$3,000
Risk Responses Strategic decisions • Avoid
• Mitigate
• Transfer
• Accept

Controls Implementation methods • Technical

• Administrative
• Physical
Domain 2: Asset Security
Data Classification
Level Government Commercial Protection Requirements
Highest Top Secret Confidential • Strict access controls
• Encryption
• Auditing
High Secret Private • Need-to-know
• Limited access

Medium Confidential Sensitive • Access controls

• Monitoring

Low Unclassified Public • Basic protection

Data States and Protection

State Description Protection Methods
At Rest Stored data • Encryption
• Access controls
• Backup
In Transit Moving data • TLS/SSL
• VPN
• SFTP
In Use Processing data • Memory encryption
• Process isolation

Domain 3: Security Architecture

Access Control Models
Model Purpose Key Principles Example
DAC Owner-based • Owner assigns rights File permissions
• Flexible
MAC System-enforced • Labels Military systems
• No override
RBAC Role-based • Job functions Corporate access
• Hierarchical
ABAC Attribute-based • Dynamic Cloud services
• Context-aware
Cryptography
Type Algorithms Key Management Use Cases
Symmetric • AES Shared secret • Bulk encryption
• 3DES • Performance critical

Asymmetric • RSA Public/private pair • Digital signatures

• ECC • Key exchange

Hash • SHA-256 No keys • Integrity checking

• SHA-3 • Password storage

Domain 4: Network Security

Network Protocols
Protocol Port Purpose Security Considerations
HTTPS 443 Secure web • TLS configuration
• Certificate management

SSH 22 Secure shell • Key-based auth

• Version control

DNS 53 Name resolution • DNSSEC

• Zone transfers

SMTP 25 Email • TLS

• Authentication

Network Security Controls

Control Purpose Implementation Considerations
Firewall Traffic control • Stateful Rule maintenance
• Next-gen

IDS/IPS Attack detection • Signature-based False positives

• Behavioral

VPN Secure tunnel • IPSec Key management

• SSL/TLS
NAC Access control • 802.1x Client compatibility
• Posture check
Domain 5: Identity Management
Authentication Methods
Method Strength Advantages Disadvantages
Passwords Basic • Simple • Weak
• Universal • Reuse
MFA Strong • Multiple factors • Complexity
• Resistant to theft • Cost
Biometrics Very Strong • Unique • False positives
• Non-transferable • Privacy
Certificates Strong • PKI-based • Management over head
• Non-repudiation

IAM Processes
Process Purpose Components Best Practices
Provisioning Account creation • Workflow Automation
• Approval

Authentication Identity verification • Factors Multi-factor

• Methods

Authorization Access control • Permissions Least privilege

• Roles

Auditing Compliance • Logs Regular review

• Reviews

Domain 6: Security Assessment

Testing Types
Type Purpose Methods Frequency
Vulnerability Find weaknesses • Scanning Monthly
• Analysis
Penetration Exploit testing • Manual Quarterly
• Automated
Configuration Settings review • Automated Weekly
• Manual
Code Review Software security • Static Continuous
• Dynamic
Audit Types
Type Scope Conducted By Purpose
Internal Organization Internal team Policy compliance
External Organization Third party Independent review
Compliance Requirements Auditor Regulatory check
Security Controls Security team Control effectiveness

Domain7: Security Operations

Incident Response
Phase Activities Team Documentation
Preparation • Planning IR Team Playbooks
• Training
Detection • Monitoring SOC Alerts
• Analysis
Response • Containment IR Team Incident report
• Eradication

Recovery • Restoration IT&IR Recovery log

• Verification

Business Continuity
Component Purpose Elements Metrics
BCP Business continuation • Processes RTO
• Resources
DRP IT recovery • Systems RPO
• Data
Crisis Management Leadership • Decision making MTD
• Communication
 Domain 8: Software Security
Secure SDLC
Phase Security Activities Deliverables Controls
Planning • Requirements Security plan Review
• Risk assessment
Design • Threat modeling Security architecture Validation
• Architecture review
Development • Secure coding Secure code Testing
• Code review

Testing • Security testing Test results Verification

• Vulnerability scanning
Deployment • Secure configuration Production system Monitoring
• Hardening

Common Vulnerabilities
Category Examples Prevention Detection
Injection • SQL Input validation SAST/DAST
• Command
Authentication • Weak passwords Strong auth Monitoring
• Session hijacking

Authorization • Missing checks Access control Audit logs

• Privilege escalation
Encryption • Weak algorithms Strong crypto Configuration review
• Poor key management

Prepared by
G. M. Faruk Ahmed, CISSP, CISA
https://www.linkedin.com/in/gmfaruk/