Information Sharing and Questions for Ed Spencer's CISSP Class

Discussion in 'CISA/CISM/CISSP' started by Ed_Spencer, Nov 10, 2017.

  1. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    I'll be posting links and other information within this thread for the students in my CISSP class.

    I hope everyone is enjoying the class so far, and I'll try to answer questions as well.

    Posts will be forthcoming shortly with information on each of the various CBK sections.
     
    #1
  2. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    CBK 1 - Security and Risk Management
    Disclaimer: These are just additional notes and information from the session. They aren't meant to be complete study notes, only supplemental information. While some of these items are useful for the exam, others are not. All of the items are useful to garner additional understanding and expand your knowledge on the subject material.

    Core of nearly everything to do with security:
    CIA Triad - Confidentiality / Integrity / Availability

    The polar opposite of the CIA Triad:
    DOD Triad - Disclosure / Destruction / Denial

    Regulatory Requirements:
    EU GDPR - http://www.eugdpr.org/
    Sarbanes-Oxley (SOX) - https://en.wikipedia.org/wiki/Sarbanes–Oxley_Act

    Due Care vs. Due Diligence
    Due care is acting responsibly.
    Due diligence is verifying those responsible actions are sufficient and that they work. In other words, due diligence is the effort a company makes to demonstrate due care by making sure security policies, procedures, and standards are continually maintained and operational.

    Threat Modeling
    Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.

    https://en.wikipedia.org/wiki/Threat_model#Threat_Modeling_Methodologies_for_IT_Purposes
    Other threat models not mentioned in the materials:
    Application Threat Modeling - OWASP
    Open Source Security Testing Methodology Manual (OSSTMM) - ttp://www.isecom.org/research/

    BCP/DRP/BIA
    NIST SP800-34 Rev 1 - Contingency Planning Guide for Federal Information Systems
    http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
     
    #2
  3. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    Hello Ed,

    if you can please help to explain some topic like

    code review : - what is the purpose and when will it perform ,
    Application Programming interface testing ( API ) Testing : difference between API testing and Code review
    Misuse case testing
    fuzzing
    mutation fuzzing
    Generational fuzzing
     
    #3
  4. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    Fagan inspection is a code review process, what other code review process are ? from exam prospective do we really need to understand the steps involved in fagan inspection
     
    #4
  5. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    what is Synthetic Transactions
     
    #5
  6. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    We'll be covering some of this in the class this weekend. If there's anything in the list above missing in the remaining material on CBK 6 (Security Assessment and Testing) and CBK 8 (Software Development Security) I'll be sure to post information here after class.
     
    #6
    Last edited: Nov 18, 2017
  7. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    My reply is a little long, but I hope you read through and my comments make sense as they apply to a lot of other items we covered /will be covering as well.

    In 'most' cases, an understanding of what something is, and generally what makes it unique, is sufficient for the exam. Remember, the adage that the test is 10 miles wide and only an inch deep.

    There are some exceptions to needing to dig in deeper and the OSI model is a good example of where you really need to go much deeper. You need to be able to explain the OSI model and understand what happens at each layer because network protections are based upon them. You'll have multiple questions relating to the layers and not spending the time to learn it could be a major blow to success on the exam. Fortunately, this concept is used in LOTS of certifications like A+, Net+, Sec+, CISM, CASP, and many others so it's just a good thing to learn anyway.

    MAC, DAC, RBAC and a few others require a deeper understanding of the broad concepts but not super deep - about 2 inches deep.

    Keep in mind, this is all outlined in the guide from ISC2.
    https://cert.isc2.org/cissp-exam-outline-form/

    So, with respects to the Fagan inspection, let's look at what is in the Sybex CISSP study guide:
    The most formal code review processes, known as Fagan inspections, follow a rigorous review and testing process with six steps:

    Planning
    Overview
    Preparation
    Inspection
    Rework
    Follow-up

    The Fagan inspection level of formality is normally found only in highly restrictive environments where code flaws may have catastrophic impact.

    If you look at this, if they left out the steps, would it hinder understanding? I think the answer is 'yes'. But at the same time, asking that level of detail based on memorization seems petty. My goal during exam prep is to develop broad understanding of as much material as possible and to avoid memorization except in rare cases. I would know Fagan is a code review method and that it's strict. I'd expect to know the differences between Fagan and other methods in general terms. Much like I'd expect people to know the difference between agile, waterfall, devops, etc. But not necessarily be able to name the steps or draw the process in each. The more you know the better, but sometimes you have to know where to draw the line between learning for the test and learning to expand your career. The test is a fixed bar. Learning something you'll be using on the job is a lifelong effort.
     
    #7
  8. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    how to identify Network Address and Host address of given IP
    IP : 192.168.54.5
    Mask: 255.255.192.0

    subnet : 128 192 224 240 248 252 254 255
    3rd Oct: 1 1 0 0 0 0 0 0

    IP : 128 64 32 16 8 4 2 1
    3rd Oct: 0 0 1 1 0 1 1 0

    3rd Oct Value : 0.0.0.0.0.0.0.0 = 0

    Network Address : 192.168.0.0
    Host Address : 0.0.0.5

    Fist Octate Value based on Bolean and would be : 192
    Second Octate Value based on Bolean would be : 168
    third Octate value based on Bolean would be : 0

    is it correct ?
     
    #8
  9. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    and in case of below IP

    IP : 192.168.225.5
    Subnet: 255.255.224.0

    Network Address: 192.168.224.0
    Host Address : 0.0.1.5

    am i correct ?
     
    #9
  10. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    You missed the transfer of the third octet for the host address.

    Once you derive the network address (you know where the line is) then the remaining bits to the right are part of the host address.

    The host address would be 0.0.54.5 on that network (192.168.0.0).
     
    #10
  11. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    Yes, you are correct.
     
    #11
  12. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    thanks , now how many bits are used for Network address and how many bits are used for Host address.

    IP : 192.168.225.5
    Subnet : 255.255.224.0

    Network Address : 192.168.224.0
    Host Address : 0.0.1.5

    192.168.225.5/?
     
    #12
  13. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    The number of bits used is based on the subnet mask. Counting in from the left, you have 8 in the first octet, 8 in the second octect, and 3 in the third. This is 8+8+3 = 19. The network could also be written as 192.168.224.0/19.
     
    #13
  14. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    Thanks, but usually its written with IP Address like 172.138.53.5/23 , which denotes network address or Subnet mask ?
     
    #14
  15. _13937

    _13937 Member

    Joined:
    Oct 18, 2017
    Messages:
    8
    Likes Received:
    0
    could you please share link to develop more understanding around OSI Model
     
    #15
  16. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    It can be, however, it's far more common for the network to be written that way. When you deal with a large number of networks in an organization using this nomenclature is just far more effective so you have everything together. Some routers actually let you specify the subnet mask this way as well to speed input rather than requiring you to say 'MASK 255.255.255.252' in the configuration.

    I should clarify something here. The subnet is written using the / notation when specifying a range most often rather than an actual IP address. It's not that it can't be, just that it's not that common for it to be written that way. Part of the reason is to not rely upon someone's conversion of notation when putting the information into the fields on the local computer. Often the person putting in the information doesn't understand and will actually try to use the slash notation (/) into the IP address field and complain when it doesn't work.

    So while technically correct, the notation isn't necessarily common for some of the reasons I pointed out above.
     
    #16
    Last edited: Nov 19, 2017
  17. Ed_Spencer

    Ed_Spencer Member
    Alumni

    Joined:
    Nov 10, 2017
    Messages:
    11
    Likes Received:
    0
    Certainly! There are a LOT of links and articles on the OSI model. My personal recommendation is to get wireshark, install it, and review a short capture to see what's really going on. You can actually see the construction of individual packets/frames. You can actually see the TCP handshake, the ARP broadcasts, etc. It creates a tangible view of a theory.

    Articles:
    Wikipedia - https://en.wikipedia.org/wiki/OSI_model
    Microsoft - https://support.microsoft.com/en-us...-seven-layers-defined-and-functions-explained
    Cisco - https://www.cisco.com/cpress/cc/td/cpress/fund/ith/ith01gb.htm

    Those should be a good starting point. If you want to read a book on networking to get more understanding I highly recommend 'Internetworking with TCP/IP Vol 1' by Douglas Comer. While the link below is to the latest edition, any of them will suffice for the information on the OSI model so don't be concerned with a less expensive used copy if you go that route. My own copy is a couple editions back at this point.

    https://www.amazon.com/Internetworking-TCP-IP-One-6th/dp/013608530X

    Another highly recommended book is 'TCP/IP Illustrated'. I'll be honest, I haven't read it - mainly because I already had Douglas Comer's book and felt I had a good grasp on the topic. But it's probably the most often recommended book to me over the years for TCP/IP.
     
    #17

Share This Page