Summary
The foundation of the CISSP. Covers governance frameworks, security policies, risk analysis (qualitative & quantitative), legal compliance (GDPR, HIPAA, SOX), and ethics. The CIA triad — Confidentiality, Integrity, Availability — originates here.
Key risk concepts: asset value, threat, vulnerability, likelihood, impact, and controls (preventive, detective, corrective). Risk can be accepted, avoided, mitigated, or transferred.
Linux Example — Audit & Policy
# Install and enable Linux Audit Daemon apt install -y auditd audispd-plugins systemctl enable --now auditd # Watch writes to /etc/passwd (integrity control) auditctl -w /etc/passwd -p wa -k passwd_changes # Watch /etc/sudoers (privilege escalation risk) auditctl -w /etc/sudoers -p wa -k sudoers_mod # View audit log for those events ausearch -k passwd_changes --interpret # Generate compliance report (SLE/ALE evidence) aureport --summary -i Summary Report ============== Range of time: ... Number of changes to /etc: 3 Number of logins: 47 Number of failed logins: 2
Summary
Focuses on classifying, handling, and protecting data throughout its lifecycle. Addresses data ownership (owner, custodian, user), retention policies, data remanence, and secure destruction. Classification levels (Top Secret → Unclassified in government; Confidential → Public in business) drive access controls and handling procedures.
Linux Example — Encryption & Secure Erase
# Encrypt a sensitive file (data-at-rest) gpg --symmetric --cipher-algo AES256 secret.txt Enter passphrase: •••••••• # LUKS full-disk encryption on a block device cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 /dev/sdb cryptsetup luksOpen /dev/sdb secure_vault mkfs.ext4 /dev/mapper/secure_vault # Secure wipe — 3-pass DoD 5220.22-M style shred -v -n 3 -z /dev/sdb # Or with nwipe for SSDs (ATA Secure Erase) hdparm --security-erase NULL /dev/sdb # Set file classification label in metadata setfattr -n user.classification -v "CONFIDENTIAL" report.pdf getfattr -n user.classification report.pdf user.classification="CONFIDENTIAL"
Summary
Covers security models (Bell-LaPadula, Biba, Clark-Wilson), trusted computing, cryptography, and physical security. MAC (Mandatory Access Control) and DAC (Discretionary Access Control) originate here. SELinux and AppArmor are Linux implementations of MAC.
Bell-LaPadula = no read up, no write down (confidentiality). Biba = no write up, no read down (integrity).
Linux Example — SELinux & AppArmor
### SELinux (RHEL / Fedora / CentOS) ### # Check current mode getenforce Enforcing # Set enforcing persistently setenforce 1 # /etc/selinux/config → SELINUX=enforcing # View security context of a process (nginx) ps -eZ | grep nginx system_u:system_r:httpd_t:s0 /usr/sbin/nginx # View file context ls -Z /var/www/html/ system_u:object_r:httpd_sys_content_t:s0 index.html # Restore default SELinux context restorecon -Rv /var/www/html/ ### AppArmor (Ubuntu / Debian) ### # Check status aa-status 34 profiles loaded; 27 in enforce mode # Put nginx profile in enforce mode aa-enforce /etc/apparmor.d/usr.sbin.nginx # Profile snippet — deny /etc/shadow reads profile nginx /usr/sbin/nginx { /var/www/** r, deny /etc/shadow r, network inet stream, } # Load updated profile apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
Summary
Network models (OSI / TCP-IP), firewalls, IDS/IPS, VPNs, segmentation, DMZs, and secure protocols. Key protocols include TLS, SSH, and IPsec. Understand the difference between transport mode and tunnel mode IPsec, and between IKEv1 and IKEv2.
IPsec tunnel mode encrypts the entire IP packet (gateway-to-gateway). Transport mode encrypts only the payload (host-to-host).
Linux Example — SSH hardening & IPsec
### SSH HARDENING (/etc/ssh/sshd_config) ### PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes AuthenticationMethods publickey Protocol 2 KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com MACs hmac-sha2-512,hmac-sha2-256 MaxAuthTries 3 LoginGraceTime 20 AllowUsers alice bob # Generate Ed25519 key pair (stronger than RSA-2048) ssh-keygen -t ed25519 -C "alice@company.com" ### IPTABLES — default-deny + stateful ### iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT ### IPSEC (strongSwan IKEv2) /etc/ipsec.conf ### conn site-to-site keyexchange=ikev2 left=10.0.1.1 leftsubnet=192.168.1.0/24 right=10.0.2.1 rightsubnet=192.168.2.0/24 ike=aes256-sha2_256-modp2048! esp=aes256-sha2_256! authby=pubkey auto=start ipsec up site-to-site connection 'site-to-site' established ✓
Summary
Managing who can access what, and how they prove who they are. Covers identification, authentication (something you know/have/are), authorisation (MAC, DAC, RBAC, ABAC), and accountability. MFA, SSO, federation (SAML, OAuth 2.0, OIDC), and privilege management (PAM, sudo) are key topics.
Linux Example — PAM, sudo & MFA
# Enforce strong passwords via PAM # /etc/pam.d/common-password password requisite pam_pwquality.so \ minlen=14 dcredit=-1 ucredit=-1 \ ocredit=-1 lcredit=-1 difok=4 # Lock account after 5 failed attempts # /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail \ audit silent deny=5 unlock_time=1800 # TOTP / MFA via Google Authenticator PAM apt install libpam-google-authenticator # /etc/pam.d/sshd — add: auth required pam_google_authenticator.so # /etc/ssh/sshd_config: ChallengeResponseAuthentication yes # Least-privilege sudo (edit /etc/sudoers via visudo) %webadmin ALL=(ALL) NOPASSWD: \ /usr/sbin/nginx, /bin/systemctl restart nginx # Check effective capabilities of a process (Linux) capsh --print # Drop all caps except what's needed (container-style) capsh --drop=cap_net_raw,cap_sys_admin -- -c "myapp"
Summary
Designing and running tests to find vulnerabilities before attackers do. Covers vulnerability assessments vs. penetration testing, black/white/gray box testing, code review, SAST/DAST, log review, and compliance auditing. Test results feed back into the risk management process.
Linux Example — nmap & Vulnerability Scan
# Full port scan + service/version detection nmap -sV -sC -p- -oA scan_output 10.0.0.0/24 # Script scan for known vulns (NSE) nmap --script vuln 10.0.0.1 | ssl-heartbleed: VULNERABLE | http-shellshock: VULNERABLE (CVE-2014-6278) # CIS benchmark audit with Lynis apt install lynis lynis audit system Hardening index : 67 [############# ] Tests performed : 218 Warnings : 4 Suggestions : 38 # Check for SUID binaries (privilege escalation risk) find / -perm -4000 -type f 2>/dev/null /usr/bin/sudo /usr/bin/passwd /tmp/custom_suid ← investigate! # OpenSSL — verify TLS cipher strength openssl s_client -connect example.com:443 -tls1_3 Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 ✓
Summary
Day-to-day running of security: incident response (PICERL — Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned), change management, patch management, SIEM, log management, BCP/DR (RTO, RPO), and physical security. Chain of custody and forensics evidence handling belong here.
Linux Example — Logging & Incident Response
# Centralised logging — rsyslog to remote SIEM # /etc/rsyslog.conf *.* @@siem.company.internal:514 # TCP TLS $ActionSendStreamDriver gtls $ActionSendStreamDriverMode 1 # Real-time auth failure monitoring journalctl -fu ssh | grep --line-buffered "Failed" Jun 14 03:21:17 sshd[1234]: Failed password for root from 1.2.3.4 port 51234 # Forensic disk image (evidence preservation) dcfldd if=/dev/sdb of=/evidence/disk.img \ hash=sha256 hashlog=/evidence/hash.log \ bs=4096 conv=noerror,sync # Volatile data capture (incident triage) date -u # timestamp who # logged-in users ps auxf # running processes ss -antp # open connections lsof -nP # open files last -20 # recent logins
Summary
Security integrated into the SDLC (Waterfall, Agile, DevSecOps). Covers secure coding practices, OWASP Top 10, threat modelling (STRIDE, DREAD), code review, fuzzing, and secure deployment. Software supply chain security (SBOMs, dependency scanning) is increasingly important.
Linux Example — Secure Dev Toolchain
# SAST — Bandit (Python static analysis) pip install bandit bandit -r ./myapp -ll -f json -o bandit_report.json Issue: [B608] Possible SQL injection via string-based query Severity: HIGH Confidence: MEDIUM Location: app/db.py:42 # Dependency scanning — Trivy (containers + OS) trivy image myapp:latest CVE-2023-1234 CRITICAL openssl 1.1.1q fix: 1.1.1t CVE-2022-5678 HIGH libssl 3.0.2 fix: 3.0.7 # Generate SBOM (Software Bill of Materials) syft myapp:latest -o spdx-json > sbom.spdx.json # Fuzz test with AFL++ (memory corruption) afl-fuzz -i testcases/ -o findings/ -- ./target @@ # Verify binary integrity before deployment sha256sum -c myapp.sha256 myapp: OK gpg --verify myapp.sig myapp gpg: Good signature from "Release Team <release@co.com>"