CISSP Domains: Who’s on first?

I just realized something today that I found a tad bit annoying. The numbering of the domains of the CISSP Common Body of Knowledge (CBK) is actually trivial (can’t think of a better word at the moment). I am reviewing some items on my CISSP notes today and was looking at Domain 2: Telecommunications and Network Security. I wanted to compare some of my notes (written in 2006) to whatever else I can find in the web.

So I Googled, “CISSP Domain 2”.  The result was TechTarget’s SearchSecurity.com listed at number 1. And it says “CISSP Domain 2 quiz: Access Control.” Access Control? What do you mean Access Control? I thought “Telecommunications and Network Security” is the CBK”s Domain 2? Read more

CISSP Exam Note (Domain 1: Access Control) – Centralized & Decentralized, etc…

Access Control – Centralized and Decentralized

Centralized Access Control – is a facility in which all the core functions for access such as Authentication, Authorization, and Accountability (AAA) are performed from a centralized location.

• RADIUS – Remote Access Dial-In User Service (incorporates an AS and dynamic password)
• TACACS – Terminal Access Controller Access Control System (for network applications, static pwd)
• TACACS+ – Terminal Access Controller Access Control System Plus, supports token authentication

CHAP – Challenge Handshake Authentication Protocol

• Supports encryption, protects password

Decentralized Access Control – generally require medium to large workgroups of individuals and carry higher administrative overhead accordingly. In a decentralized environment, maintaining a homogeny of equipment and services scales in increasing difficulty with proportion to the number of access control points. Changes effected on individual systems are spread locally, instead of having the wide-reaching consequences and effects of a singular centralized system. Read more

CISSP Note (Domain 1: Access Control) – Three Things to Consider

Three things to consider

• Threats – potential to cause harm
• Vulnerabilities – weakness that can be exploited
• Risk – potential for harm

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm.

The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

CISSP Note (Domain 1: Access Control): C.I.A. – Quick Definitions

Information Security has three key focus ensuring the Confidentiality, Integrity and Availability of information, commonly known as C.I.A. Below are their definitions.

Confidentiality – ensure that information is not disclosed to unauthorized person

Integrity

• Prevention of modification by unauthorized users
• Prevention of unauthorized changes by otherwise authorized users
• Internal and external consistency
  • Internal consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)
  • External consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse)

Availability – ability of authorized personnel to access information on time and as necessary Read more

• Join Me On Facebook

  Trehb101 - Got Geek?
  
  Promote Your Page Too

• Entry Categories

  • All Other Items (1)
  • Biz Mgt & Dev (8)
  • Blog-keeping (1)
  • Bum-A-Post (3)
  • Don's eBook Report (22)
  • eBooks, etc… (9)
  • eCommerce / eBiz (22)
  • Entrepreneurship (21)
  • Geek Mail (4)
  • Information Security (49)
  • Information Systems (46)
  • Information Technology (34)
  • InfoSec Docs (11)
  • Internet Docs (3)
  • Internet Marketing (44)
  • IT Docs (4)
  • Life Happens (22)
  • Project Management (28)
  • Random Stuff (13)
  • The Demondaynizer (4)
  • The Internet (75)
  • Web Design / Development (34)
  • Yeah Boy! Yah Suck! (5)

• Recent Posts

  • What we are up against…
  • Why Information Security: D-UH!
  • From the Geek Mail: Facebook Pushes the Privacy Envelope with Data Sharing
  • From the Geek Mail: 2011 Top Tech Jobs
  • Information Security Management in the Wild Wide Web
  • Simple Math: Maybe the Difference in your Cert Exam Pass/Fail Chances
  • IT from Cost Center to Revenue Generator

• Follow Me on Twitter

• Business Tech Press Releases

  • HostWire Merges into WRGL February 10, 2012
  • Altera Announces Upcoming Schedule of Events With the Financial Community February 10, 2012
  • Faruqi & Faruqi, LLP Announces Investigation of Powerwave Technologies, Inc. February 10, 2012
  • Satisfy Your Valentine in 10 Minutes from Your Mobile Phone or Tablet February 10, 2012
  • Italsuit Brings Bargain-Hunting Thrills to Shopping Online February 10, 2012

• Archives

  Select Month March 2011  (1) February 2011  (3) January 2011  (4) December 2010  (3) October 2010  (2) August 2010  (4) July 2010  (19) June 2010  (28) May 2010  (37) April 2010  (63) March 2010  (54) February 2010  (1) January 2010  (4) December 2009  (18) November 2009  (27) October 2009  (4) September 2009  (1)

• Tags

  Book Building business CISSP CISSP Exam CISSP reviewer Development Dummies eBusiness Edition Engine Entrepreneurship Exam facebook From Google Guide Hardcover Information Information Security internet Joomla Maceo MAD MAC Management marketing Media Online Optimization Paperback PMP Exam Professional Project Search Secrets Security Social strategies Technology Trehb101 Tweets Twitter with Wordpress Your

• Your Shopping Cart

  Your cart is empty

• Calendar

  February 2012

  M	T	W	T	F	S	S
  « Mar
  		1	2	3	4	5
  6	7	8	9	10	11	12
  13	14	15	16	17	18	19
  20	21	22	23	24	25	26
  27	28	29

• From the National Vulnerability Database

  • CVE-2011-3958 (chrome) February 7, 2012
    Google Chrome before 17.0.963.46 does not properly perform casts of variables during handling of a column span, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. […]
    nvd@nist.gov
  • CVE-2012-1033 (bind) February 7, 2012
    The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a cache update policy, which allows remote attackers to trigger continued resolvability of domain names that are no longer registered via an unspecified "Ghost Names exploit." […]
    nvd@nist.gov
  • CVE-2011-3971 (chrome) February 7, 2012
    Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to mousemove events. […]
    nvd@nist.gov
  • CVE-2011-3954 (chrome) February 7, 2012
    Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (application crash) via vectors that trigger a large amount of database usage. […]
    nvd@nist.gov
  • CVE-2011-3970 (chrome, libxslt) February 7, 2012
    libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. […]
    nvd@nist.gov
  • CVE-2012-0926 (realplayer, realplayer_sp) February 7, 2012
    The RV10 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, does not properly handle height and width values, which allows remote attackers to execute arbitrary code via a crafted RV10 RealVideo video stream. […]
    nvd@nist.gov
  • CVE-2011-3969 (chrome) February 7, 2012
    Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to layout of SVG documents. […]
    nvd@nist.gov
  • CVE-2011-3956 (chrome) February 7, 2012
    The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension. […]
    nvd@nist.gov
  • CVE-2011-3968 (chrome) February 7, 2012
    Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving Cascading Style Sheets (CSS) token sequences. […]
    nvd@nist.gov
  • CVE-2012-1035 (ada_web_services) February 7, 2012
    AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. […]
    nvd@nist.gov