Vault restructure

Corpus/Standards/CISSP/CISSP Official Study Guide.md

@@ -0,0 +1,35 @@
+Eighth Edition
+
+## Chapters
+[CISSP_OSG8_D1_C1_1.10](CISSP_OSG8_D1_C1_1.10.md)
+[CISSP_OSG_Chapter_2](CISSP_OSG_Chapter_2.md)
+[CISSP_OSG_Chapter_3](CISSP_OSG_Chapter_3.md)
+[CISSP_OSG_Chapter_4](CISSP_OSG_Chapter_4.md)
+[CISSP_OSG_Chapter_5](CISSP_OSG_Chapter_5.md)
+[CISSP_OSG_Chapter_6](CISSP_OSG_Chapter_6.md)
+[[CISSP_OSG_Chapter_7]]
+[CISSP_OSG_Chapter_8](CISSP_OSG_Chapter_8.md)
+[[CISSP_OSG_Chapter_9]]
+[[CISSP_OSG_Chapter_10]]
+[CISSP_OSG_Chapter_11](CISSP_OSG_Chapter_11.md)
+[[CISSP_OSG_Chapter_12]]
+[[CISSP_OSG_Chapter_13]]
+[CISSP_OSG_Chapter_14](CISSP_OSG_Chapter_14.md)
+[CISSP_OSG_Chapter_15](CISSP_OSG_Chapter_15.md)
+[[CISSP_OSG_Chapter_16]]
+[[CISSP_OSG_Chapter_17]]
+[CISSP_OSG_Chapter_18](CISSP_OSG_Chapter_18.md)
+[CISSP_OSG_Chapter_19](CISSP_OSG_Chapter_19.md)
+[[CISSP_OSG_Chapter_20]]
+[[CISSP_OSG_Chapter_21]]
+
+## Domains
+Eight domains of information security:
+1. Security and risk management
+2. , asset security, 
+3. security engineering, 
+4. [communication and network security](CISSP_Domain_4.md) 
+5. identity and access management ([CISSP_Domain_5_1](CISSP_Domain_5_1.md), [CISSP_Domain_5_2](CISSP_Domain_5_2.md))
+6. security assessment and testing, [CISSP_Domain_6](CISSP_Domain_6.md)
+7. security operations [CISSP_Domain_7_1](CISSP_Domain_7_1.md)
+8. software development security [CISSP_Domain_8](CISSP_Domain_8.md)

Corpus/Standards/CISSP/CISSP_Domain_4.md

@@ -0,0 +1,337 @@
+Constructed from [CISSP_OSG_Chapter_11](CISSP_OSG_Chapter_11.md) and [[CISSP_OSG_Chapter_12]]
+
+# Domain 4 - Communication and network security
+
+## OSI and TCP/IP models
+OSI = Open Systems Interconnection
+TCP/IP = Transmission Control Protocol/Internet Protocol
+
+In de jaren 90 stelde het Internet nog niet veel voor, iedere fabrikant had zijn eigen netwerkprotocollen:
+* IBM had SNA Systems Network Architecture
+* Digital had DNA, Digital Network Architecture 
+* Novell had NetWare Open Systems
+* Apple had AppleTalk
+
+De TCP/IP protocol-stack is de standaard geworden. Het TCP/IP *model* is in de praktijk in onbruik geraakt.
+
+OSI had ook een eigen protocol-stack, maar die is in de vergetelheid geraakt. Het OSI referentiemodel is overeind gebleven.
+
+De verschillende functionaliteiten, componenten en protocollen moet je kunnen plaatsen op de verschillende lagen van het OSI model èn het TCP/IP model.
+
+## OSI specs
+LDAP = Lightweight Directory Access Protocol
+Protocol om een directory service te benaderen. Bijv om een accountnaam en wachtwoord te benaderen. Active Directory is een bekend voorbeeld van een directory.
+LDAP is een aangepaste versie van DAP, het originele OSI protocol om directory services te benaderen.
+LDAP is ontwikkeld aan de universiteit van Berkeley en kon overweg met TCP/IP.
+
+OSI specificaties:
+* X.500 beschrijft de structuur en werking van directory services.
+* X.509 (digitale certificaten en PKI) is ook een oorspronkelijke OSI specificatie.
+* X.400 was de email specificatie
+
+Een directory is een hiërarchische structuur van container objecten (‘OU’s’, organizational units)
+
+## Transmission
+Between computer systems, data is transmitted as packets. Packets have a Header (and sometimes a Footer). The information itself is often referred to as the Payload.
+
+The process of adding headers (and footers) to the payload is called encapsulation.
+
+For instance, when sending a mail, the data packet is prepended with SMTP, TCP and IP headers. When browsing, we have HTTP, TCP and IP headers. When streaming content, the data packet is prepended with RTP, UDP and IP headers.
+
+The different headers each belong to a different layer of the OSI structure.
+Each type of header contains different fields. The most important fields of the IP header are the SourceIP, DestinationIP and TimeToLive (TTL) fields.
+
+### IP
+
+The nodes in the Internet are called Routers. Routers are components that connect networks. This is the principal functionality of OSI layer 3, the ‘network layer’. Routers interpret the information in the IP headers to determine where the packet needs to be sent on to.
+
+An IP address consists of a Network ID and a Host ID: nnn.hh.hhh.hh. 
+
+Each router ‘knows’ to which network it belongs and shares this network ID with it’s neighbors.
+This information is stored in the Routing Table of each device.
+
+The TimeToLive (TTL) field defaults to count 64. Every router that handles the packet, decreases the value by one. When the counter reaches zero the packet is dropped. This mechanism guarantees that a packet does not wander the Internet forever.
+
+### TCP
+The Transmission Control Protocol, or TCP, lives in Layer 4, the **Transport Layer**.
+One of TCP’s main functions is telling the receiving host by which process, application or service the packet should be handled. It does this through specifying the Port Address, in the dest.port field. There is also a source.port field.
+
+Een andere functie is het garanderen van een betrouwbare overdracht tussen computers.
+Relevant hiervoor is het Sequence Number. Packets volgen verschillende routes over het Internet en komen dus niet keurig in volgorde aan bij de ontvanger. 
+Belangrijkste veld voor het garanderen van een betrouwbare overdracht is de Acknowledgement flag (1 of 0). The destination computer will send back a packet with the missing sequence number and an ack 0.
+A series of packets is called a segment. The TCP handshake (also known as the 3-way handshake). 
+When starting a web-browsing session, the client initiates the interaction with a TCP packet in which the synchronise flag ‘syn’ is set to 1. The server then sends back a syn.ack packet. The client responds which the ack flack.
+1. Client: syn
+2. Server: syn.ack
+3. Client: ack
+
+To end a session, the client sends a fin packet and the server respons with ack. (2 way handshake).
+1. Client: fin
+2. Server: ack
+
+The sequence number of the last packets (fin/ack) determines how many packets the segment consisted of.
+
+Nadeel van dit protocol is veel overhead (en dus vertraging).
+
+Vandaar dat voor streaming een ander protocol gebuikt wordt (UDP; niet RTP want dat zit op een andere layer). 
+
+TCP is a Connection oriented protocol
+UDP is connection-less: it is unaware of the (quality of) the connection.
+
+## OSI layers
+All People seem To Need Data Processing:
+* Application
+* Presentation
+* Session
+* Transport
+* Network
+* Datalink
+* Physical
+
+Each layer has a different function, which is provided by protocols and/or physical components.
+
+ARP = Address Resolution Protocol
+
+SONET = Synchronous Optical Network (glasvezelverbindingen)
+
+Topology = physical structure of a network.
+
+## Datalink and Network layers: routing packets over a LAN
+Stel je voor, informatie wordt van het Internet ontvangen en moet verwerkt worden in een lokaal netwerk.
+
+De router waarmee het lokale netwerk aan het internet is verbonden noemen we de Default Gateway.
+
+De ontvangen packet heeft SFTP | TCP | IP headers.
+De IP header specificeert de bedoelde ontvanger, bijv. 124.1.1.1.
+
+IP adressen worden dynamisch toegekend met DHCP.
+DHCP (Dynamic Host Configuration Protocol) kent aan iedere host binnen het lokale netwerk een uniek IP address toe. Daarnaast vertelt het aan iedere host het address van de Default Gateway en de Primary DNS Server.
+
+De grens tussen het netwerk deel en het host-deel  van het IP address ligt niet altijd op dezelfde plek (qua aantal posities). Dat wordt bepaald door het ‘subnet mask’.
+
+ARP is het protocol dat in lokale netwerken het hardware address te achterhalen dat bij een bepaald IP address hoort.
+(Hardware adressen worden uitgedeeld door IEEE. De eerste helft van een adres is uniek per leverancier).
+
+Het hardware adres is gecodeerd in de NIC of Network Interface Controller: de hardware component waarmee een apparaat aan het lokale netwerk is gekoppeld.
+
+Terug naar het ontvangen data packet met dest.IP 124.1.1.1.
+De router – in dit voorbeeld – stuurt een ‘ARP broadcast’ het netwerk in: “who has IP address 124.1.1.1 ?”. Het betreffende apparaat stuurt een ‘ARP response’ met zijn eigen hardware address.
+De router voegt dan dit adres in een MAC-header toe aan de packet.
+De Packet samen met de MAC header wordt Frame genoemd.
+
+(Datagram is een synoniem voor Packet).
+
+Apparaten in een lokaal netwerk beschikken over een ARP-cache: een mapping tussen MAC en IP adressen.
+
+Bij een Wifi router wordt dan ook nog een specifieke frequentie gekozen, omdat ieder verbonden apparaat via zijn eigen frequentie met de router communiceert.
+
+ARP opereert op de Datalink layer en de Network layer en verbindt deze in zekere zin met elkaar.
+
+Access Point en Basic Switch zijn belangrijke apparaten op de Datalink laag.
+
+### Switch
+Een switch is een apparaat om in een lokaal, bekabeld netwerk computers aan elkaar te verbinden. (In het internet noemen we dat een router).
+Bevat een mapping van fysieke kabelpoorten naar MAC adressen, de zgn. CAM table (Content Addressable Memory).
+
+Routers blokkeren broadcast verkeer: broadcast wordt alleen toegestaan in lokale netwerken, switches faciliteren dat juist.
+
+Routers hangen aan het Internet, switches in een LAN.
+
+## Session layer (layer 5)
+RPC = Remote Procedure Call, wordt gebruikt om functionaliteit elders in het netwerk aan te roepen.
+SOCKS doet iets vergelijkbaars.
+
+## Presentation layer (layer 6)
+Evt. compressie en encryptie spelen zich hier af.
+
+## Application layer (layer 7)
+Bevat niet de applications zélf, maar de protocollen die door die applicaties worden gebruikt.
+
+## Note for sheet 13
+Contrary to what sheet 13 suggests, no headers are added at the presentation layer and session layer of the OSI model.
+
+## Verplichte weetjes sheet 17
+ATM = Asynchronous Transfer Mode 
+Een Frame wordt in de ATM wereld een ‘cell’ genoemd. Een cell is 53 bytes lang. ATM werkt met een snelheid van 115 mBit / sec.
+
+De evolutie van dataverkeer over telefoonlijnen:
+X.25 -> Frame Relay -> ATM
+
+IEEE 802.3
+IEEE 802.15
+
+## Sheet 19
+ICMP = Internet Control Message Protocol, wordt o.a. gebruikt door Ping. Is nou typisch iets wat je door je firewall laat tegenhouden.
+ 
+## Sheet 21
+TCP flags:
+* U = Urgent
+* A = Acknowledge
+* P = Push (mag niet gebufferd worden)
+* R = Reset
+* S = Synchronize
+* F = Finish
+
+## Sheet 23, Session layer
+De session layer houdt zich bezig met het initiëren, onderhouden en beëindigen van sessies.
+
+PPTP = Point to Point Tunnelling Protocol.
+SCP = Session Control Protocol
+SOCKS = Socket Secure, via een proxy server
+
+SOCKS5 voorziet als extra in authenticatie, je moet je daarvoor als gebruiker aanmelden bij de server.
+
+## Sheet 25
+EBCDIC is IBM-variant van ASCII
+
+## Sheet 27
+Telnet en FTP zijn notoir onveilig.
+TFTP = Trivial FTP
+
+SFTP = FTP + SSH
+FTPS = FTP + TLS
+HTTPS = HTTP + TLS
+
+ESMTP (Extended SMTP) voorziet in encryptie 
+
+SNMP = Simple Network Mgt Protocol; versie 3 voorziet in encryptie.
+
+## Sheet 36
+Een IPv4 adres is 32 bits lang (8.8.8.8).
+
+Class A format: nnn.h.h.h
+Class B format: nnn.nn.h.h
+Class C format: nnn.nn.nn.h
+
+Class A liet maar 127 organisaties (networks) toe, maar miljoenen hosts binnen ieder netwerk.
+Class C liet miljoenen organisaties toe, maar slechts 255 hosts binnen elk netwerk.
+
+Twee methodes werden bedacht om de schaarste aan adressen te ondervangen.
+* CIDR = Classless InterDomain routing
+* RFC 1918: voorziet in privé IP adressen.
+
+Vóór RFC 1918 was ieder IP address publiek (en dus uniek).
+
+Deze reeksen zijn gereserveerd voor privé:
+* 10.1.1.1
+* 172.16.h.h
+* 192.168.h.h
+
+Moderne routers voorzien in NAT (Network Address Translation), waarmee privé adressen omgezet worden naar een uniek publiek IP adres (en andersom).
+Daarnaast is er dan ook PAT (Port Address Translation) nodig.
+
+IPv6 adressen zijn 128 bits lang.
+
+Waarom zijn we nog niet allemaal over naar IPv6?
+* IPv4 en IPv6 zijn niet compatibel, de protocol stacks verschillen. Vooral IoT devices missen IPv6 ondersteuning.
+* Gemakzucht. Sinds de privé adressen gaat het prima.
+
+## Sheet 42
+* Improved security: je kunt IPv6 ook implementeren zonder IPSec, maar dat is niet de standaard.
+* QoS: met Traffic Class kun je op het netwerk voorrang geven aan bepaalde applicaties.
+ 
+## Sheet 46
+Virtual LAN
+
+Stel ik heb 2 switches waaraan ieder meerdere hosts verbonden zijn (bijv. In 2 verschillende filialen). Een bepaalde host A aan de ene switch moet veelvuldig communiceren met host B op de andere switch. Dan kan ik een virtueel netwerk configureren waar A en B inzitten; daar kan ik dan bijv. bepaalde beveiligingen op loslaten.
+
+De standaard daarvoor is 802.1q.
+
+Promiscuous Private virtual lan (PVlan), alle hosts daarin kan vrijelijk mee gecommuniceerd worden. De router zit meestal in het PVlan.
+
+Hosts in een Isolated Virtual LAN mogen alleen communiceren met devices in het PVlan (dus via de router naar internet), maar niet met andere devices in het VLAN.
+
+Hosts in een Community VLAN mogen juist wel met elkaar communiceren, en met het PVlan, maar niet met computers in een ànder Community VLAN.
+
+## Demilitarised zone
+De publieke website wordt gehost op een computer die zich tussen twee firewalls in bevindt. De eerste firewall hangt aan het publieke internet en laat beperkt verkeer door dat van buitenaf geïnitieerd wordt. De tweede firewall laat vooral verkeer door dat van binnenuit geïnitieerd wordt.
+
+Het netwerksegment tussen die twee routers in wordt de demilitarized zone genoemd, ook wel het ‘screened subnet’.
+
+## Sheet 54
+Een HTTP proxy server kan ook ingezet worden om het surf gedrag van medewerkers te monitoren.
+
+Tunneling is het ‘verstoppen’ van code in de data package om die langs de firewall te krijgen.
+
+## Sheet 82
+MPLS was traditioneel veel sneller, door het over internet routeren van packages aan de hand van het label, via bepaalde routers met voorgedefinieerde bestemmingen. Verschil is tegenwoordig marginaal.
+
+## Sheet 97
+Besteed aandacht aan de Hub, die is pop[ulair tijdens het examen
+Zit op de fysieke laag
+
+## Sheet 98
+Switch kan hardware adressen herkennen en het verkeer naar een specifiek apparaat sturen.
+Zit dus per definitie op de data link laag.
+
+Repeater werd vooral gebruikt in Bus-netwerken.
+
+## Sheet 100
+Router interpret netwerk deel van het IP adres en fungeert als een koppeling tussen netwerken. Daarmee zit een router dus op de netwerk laag.
+Border Gateway Protocol (BGP) is een voorbeeld van een protocol daarvoor. 
+
+### Multi-layer switch
+Verschil tussen layer-3 en layer-4 switches moet je kennen.
+Laag 3 is om ..., een layer-3 switch koppelt dus ...
+
+Laag 4 is de transportlaag, dus we hebben te maken met poort-adressen. Dat zijn dus process identifiers. Je kunt daarmee QoS bepalen voor verschillende applicaties/toepassingen, dus voorrang verlenen aan bepaalde soorten verkeer.
+Ondersteunt ook VLAN functionaliteit (IEEE 802.1q).
+
+## Sheet 105
+Coax kabels kom je eigenlijk alleen nog tegen in SCADA omgevingen (industrial controll)
+
+## Sheet 110
+Encryptie wordt toegepast mbv het wachtwoord. Zonder wachtwoord geen versleuteling mogelijk. En dus kan verkeer op een openbaar WiFi netwerk niet versleuteld worden.
+
+## Sheet 112
+WPA2 voorziet in een Enterprise Mode, waarmee iedere gebruiker een ander wachtwoord kan hebben.
+Daartoe moet het access point verbonden worden met een authenticatie server. Bijv. Radius server of Windows server met AD. IEEE 802.1x protocol ondersteund dit (is dus vereist).
+
+WPA3 – wordt nu uitgerold – ondersteunt de Opportunistic Wireless Encryption (OWE) specificatie. Maakt versleuteling mogelijk zonder dat een wachtwoord vereist is.
+
+## Sheet 115
+Om het verkeer met de webserver ‘schoon’ te houden, wordt een Packet Filtering Firewall gebruikt (is dus de buitenste firewall)
+Packet Filtering Firewall (ook wel stateless firewall) leest protocol headers IP en TCP
+Hij let op de destination IP, die overeen moet komen met dat van de webserver.
+Hij let ook op het poortnummer, of dat wel is toegestaan (meestal poort 80 of 443 (resp. http en TLS))
+
+
+A Statefull Inspection Firewall keeps track of sessions, en kan dus ook bijhouden of packets tot dezelfde sessie behoren. Daarmee kunnen bepaalde soorten aanvallen worden voorkomen.
+
+Application Level Firewalls bestaand er in 2 typen:
+ * Circuit Level Proxy is eigenlijk helemaal geen firewall; deze verbindt processen tussen servers
+ * De ‘echte’ Application Level Firewall (of Application Level Proxy) kan ook nog zien of de service die gebruikt wordt is toegestaan: hij kan ook checken of de payload overeenstemt met het protocol (‘deep packet inspection’)
+
+De ALF heeft een lagere performance vanwege de DPI.
+
+Next Generation Firewall heeft ook nog intrusion detection / prevention functionaliteit.
+
+# Volgende presentatie: 04B
+## TLS 1.2
+1. Client benadert server (URL in browser)
+2. TLS handshake tussen client en server, bevat:
+* Informatie over welk encryptie algoritme gebruikt gaat worden
+* Digitaal certificaat wordt verstuurd aan client
+	* public key van de server
+	* Owner
+	* Certificate authority
+	* Digital signature
+	* Hash, SHA-2 encrypted with CA’s Private key
+3. Validation: client ontsleutelt de hash met de Public Key van de CA (zit in de browser)
+4. Browser genereert Session Key. Is een symmetrische sleutel. De SK wordt in de browser vervolgens versleuteld met de public key van de server (waarvan de uitgifte in stap 3 gevalideerd is).
+5. ?
+6. De symmetrische sleutel wordt door de server gedecrypt 
+7. De HTTPS verbinding is tot stand gebracht
+
+Zie YouTube voor verhelderende animaties.
+
+Gebruikte algoritmes:
+* RSA - assymtrische versleuteling
+* AES - symmetrische versleuteling
+* SHA-2 - Hashing
+
+Als ipv RSA Diffie-Helman wordt gebruikt, wordt er in stap 4 een pre-master key gegenereerd. 
+
+Een zwakte van TLS 1.2 is dat de client de server akkoord kan laten gaan een verouderd encryptie algoritme te gebruiken.
+
+Bij TLS 1.3 blijft de sessie sleutel nog een tijdje geldig (max een etmaal). Dat is makkelijk maar ook een kwetsbaarheid.

Corpus/Standards/CISSP/CISSP_Domain_5_1.md

@@ -0,0 +1,74 @@
+# Domein 5-I: Identity and Access Management (IAM) 
+
+
+Identificatie is het verifiëren van identiteiten t.b.v.:
+* Registratie (van de persoon zelf)
+* Genereren dan wel uitgeven van authenticatiemiddelen (bijv. een login-account en toegangspas)
+
+Identificatie moet gebeuren met een bepaald zekerheidsniveau.
+(Check bijv. eIDAS)
+
+Identificatie moet afgerond zijn om authenticatie mogelijk te maken.
+
+Authenticatie is het verifiëren van identiteit tbv het verkrijgen van toegang (tot ruimtes of informatie).
+Daarvoor heb je een authenticatie middel nodig.
+
+SFA (single factor authentication) pas je toe bij ‘laag risico’ informatie. Er is dan 1 bewijsfactor, bijv. een wachtwoord of een vingerafdruk.
+
+Voor vertrouwelijke informatie kies je voor MFA (multi-factor authentication).
+Bij MFA moet je om toegang te krijgen tenminste 2 bewijsfactoren aanleveren *uit twee verschillende categorieën*.
+
+Categorieën van bewijsfactoren:
+1. Kennis (bijv. Pin-code, wachtwoord, antwoord op een geheime vraag)
+2. Bezit (token, pasje, smartphone)
+3. Biometrische of gedragskenmerken (vingerafdruk, iris-scan, face-scan, retina-scan is het meest betrouwbaar en daarmee populair in de militaire wereld, ritme en intensiteit van typen (type dynamics, swipe dynamics), manier van lopen (gait))
+4. Steeds vaker wordt ook de context van de gebruiker betrokken (bijv. IP adress, location, device type, tijdstip).
+
+Nadelen van authenticatie met biometrische kenmerken:
+- Niet vervangbaar indien gecompromitteerd, daarom sterke voorkeur voor lokaal opslaan
+* lokaal opslaan kan niet voor bijvoorbeeld toegang tot gebouwen. 
+* Aan verandering onderhevig (ouderdom, kwetsuren, etc.), risico op false reject.
+
+Biometrische authenticatie zoekt de balans tussen false reject rates (door te strenge afstelling) en false accept rates (door te ruime afstelling).
+
+2FA, MFA en strong authentication zijn synoniemen.
+
+Belangrijkste eis aan een wachtwoord is voldoende lengte (zeg 14). Periodiek wijzigen, vreemde karakters: het is allemaal achterhaald.
+
+NIST SP 800-63c/d en Gartner (zet de docent nog op Ilias) vinden dat ook. CISSP zit nog op het oude spoor!
+
+FIDO alliance (is Fast IDentity Online) ontwikkelt standaarden. Één daarvan is het gebruik van een geregistreerd digitaal certificaat, gebonden aan jouw identiteit.
+Je registreert dan je public key bij de server waar je toegang toe wilt. De server stuurt je een challenge die je versleutelt met je eigen private key. De server ontsleutelt dan dat bericht met jouw public key en de authenticatie is geslaagd.
+
+## Single Sign-On (SSO)
+Toegang tot alle achterliggende applicaties door eenmalig het authenticatie process te doorlopen.
+
+Vormen van SSO:
+* Kerberos (MS Windows netwerken). Een Windows server fungeert als Key Distribution Center (KDC) ofwel Authentication Server. Je logt in op de KDC en die stuurt jouw een Ticket Granting Ticket die in het werkgeheugen van de client wordt opgeslagen (zwakheid 1). Als je vervolgens de Exchange server wilt benaderen stuur je je TGT naar de KDC, die je vervolgens een Service Ticket toestuurt. Met deze ST krijg je toegang tot de Exchange server. Die KDC is een single point of failure. Omdat er een trust-relatie nodig is tussen de KDC en de services-servers (die immers de ST’s moeten kunnen verifiëren) werkt Kerberos niet met cloud services. 
+* WebSSO. Inloggen op een Reverse Proxy die de authenticatie afhandelt met de Authentication Server (waar jouw identiteit bekend moet zijn). Via de Reverse Proxy krijg je dan toegang tot de verschillende (web-) domeinen.
+* Enterprise SSO. Moet ook de toegang tot allerhande legacy systemen verzorgen. Gebruiker logt in bij SSO systeem (bevat jouw login information in secret store). SSO systeem logt jouw vervolgens in op alle achterliggende systemen. Er is meestal geen goede business case meer voor. Je vindt het vooral nog in de zorg, waar als eis geldt dat de medicus zonder moeite bij verschillende legacy systemen moet kunnen.
+* Cross-domain SSO / federated identity: toegang tot systemen/services over organisaties heen (bijv. Externe cloud services). Een bekend voorbeeld is DigiD. Je benadert de server van de Belastingdienst. Die stuurt je door naar de Identity Provider (IDP), DigiD.nl, waar in een eerder stadium het identificatieproces heeft plaatsgevonden, en waar je dus geregistreerd staat. Deze zal voortaan de authenticatie afhandelen. Na een geslaagde authenticatie stuurt de IDP jou de SAML assertion of -token (Security Assertion Markup Language). Die assertion stuur je dan naar een Service Provider of ‘relying party’ (in deze de Belastingdienst, of het UWV) die de assertion weer verifieert bij de IDP. Daarna krijg je toegang. SAML is afkomstig van OASIS (check afko)
+* Ander voorbeeld van federated identity: Gebruiker logt in op Windows server (de IDP). Die verstrekt SAML-assertion, daarmee kan ik dan resources benaderen op de Azure Cloud, waar dan Office365 beschikbaar is. Deze MS implementatie van SAML noemt Microsoft de Active Directory Federation Service.
+
+De SAML assertion is een representatie van de login gegevens, maar bevat zelf waardeloze gegevens. Het is een verwijzing naar, niet de login informatie zelf. Het is het bewijs dat de authenticatie bij de IDP geslaagd is.
+Deze methode is kwetsbaar voor een Replay-attack (binnen dezelfde sessie, na onderschepping SAML assertion); is te voorkómen met TLS.
+
+In de Microsoft wereld zie je dat login gegevens gesynchroniseerd worden tussen de Windows server en de Azure AD, met de tool AD-connect.
+
+OpenID Connect is de moderne standaard voor Cross-domain SSO
+Bestaat uit 2 subspecificaties: OpenID voor authenticatie, OAuth voor autorisatie.
+Werking: ik bezoek de website van de SP/rp. Daarin zie ik: log in met je Facebook account. Facebook fungeert dan als IDP. Bij de IDP mag ik dan aangeven, welke gegevens gedeeld mogen worden met de SP. Vervolgens wordt een JSON webtoken (JWT) gegenereerd die deze gegevens representeert (maar in zichzelf betekenisloos is). Vergelijkbaar met SAML maar gemakkelijker te implementeren.
+Issue is dat de originele identificatie (bij Facebook in dit voorbeeld) niet heel betrouwbaar is.
+Microsoft ondersteunt dit overigens ook, en binnen de bedrijfsomgeving (van de werkgever) is de identificatie natuurlijk veel  beter geregeld.
+
+OpenID Connect maakt gebruik van RESTful API’s
+REST = Representational State Transfer
+Gebruikt eenvoudige commando’s gebaseerd op HTTP verbs (GET, PUT)
+
+## Sheet 70:
+“Secrets are based on symmetric or asymmetric keys”
+Voorbeeld asymmetrisch:
+Een smartcard bevat een chip met daarop een digitaal certificaat. Dat certificaat bevat jouw public key. Op de chip staat ook je private key.
+Server stuurt je een challenge, die wordt door de smartcard versleuteld met jouw private key. De versleutelde challenge wordt samen met het digitaal certificaat verstuurd naar de server. De Public key uit het certificaat wordt dan door de server gebruikt om de challenge weer te ontsleutelen.
+Voorbeeld symmetrisch:
+De challenge wordt nu client-side versleuteld met een key, die dus eerder al bekend moet zijn bij de server om ontsleutelt te kunnen worden (off-band via een ander veilig kanaal). Wordt toegepast bij authenticatie tussen systemen in de financiële wereld.

Corpus/Standards/CISSP/CISSP_Domain_5_2.md

@@ -0,0 +1,42 @@
+# Domein 5-II: Identity and Access Management (IAM) 
+
+#security/cissp
+#security/iam 
+
+Volgorde is:
+1. Identificatie
+2. Authenticatie
+3. Autorisatie
+
+Identificatie is doorgaans eenmalig. Authenticatie gebeurt veelvuldig, bijvoorbeeld per sessie.
+
+In opkomst is ‘continuous authentication’, bijv. Door monitoring van je toetsaanslag-ritme of face scanning.
+
+IAMS on premise omgeving:
+* Identificatie doorgaans op HR afdeling bij indiensttreding, registratie in het HR systeem (fungeert dan als source).
+* IAM systeem detecteert relevante ‘events’ in het source systeem en verzorgt via ‘connectors’ de account-creatie op de verschillende achterliggende systemen, Inc. de benodigde rechten. Dit proces heet provisioning.
+* Oplossingen worden ook geleverd als Identity-as-a-Service (IDaas).
+* Idealiter ondersteunt een dergelijke oplossing alle relevante employee journey events, bijv. uitdiensttreding.
+
+De synchronisatie tussen source systeem en IDaas provider kan verlopen volgens het SCIM-protocol (System for Cross-Domain Identity Management) via RESTful API’s.
+
+## Slide 54
+Een variant werkt obv Attribute providers. Attribute providers zijn bijv. je gemeente, je bank en de DUO. Gemeente bevestigt je leeftijd en woonplaats, de bank je kredietwaardigheid, en de DUO je opleidingsniveau. 
+
+Voor toegang tot bepaalde services deel je dan via een app de benodigde attributen.
+
+Bekende NL implementatie is IRMA (I Reveal My Attribute). Bart Jacobs van de Universiteit van Nijmegen.
+
+Zwakte is dat er voor veel attribute providers geen driver is om tijd en moeite te steken in de connectie en de levering.
+
+[XACML on WikiPedia](https://en.wikipedia.org/wiki/XACML): PIP, PEP, PAP en PDP
+
+![](960px-XACML_Architecture_%26_Flow.png)
+Uitdagingen zijn de complexiteit en de externalizations van autorisaties (die doorgaans binnen de applicaties worden geregeld). De applicaties en services moeten daarvoor wel geschikt zijn. 
+
+ABAC is fine-grained autorisatie, RBAC is course-grained.
+
+Autorisatie principes:
+1. Need to know - is toegang noodzakelijk
+2. Least privilege - wat moet je er mee kunnen doen
+3. Functiescheiding - voorkomen ongeoorloofde handelingen

Corpus/Standards/CISSP/CISSP_Domain_6.md

@@ -0,0 +1,37 @@
+# Domain 6 - Security Assessment and Testing
+
+Sheet 15
+Regressie test is testen of de bestaande functionaliteit niet is aangetast door het toevoegen van een nieuwe functie of een wijziging. Bijv. kijken of een patch geen nieuwe problemen introduceert.
+
+Fuzzing is een vorm van black box testing. Je voert in een dialoogbox bepaalde input om te kijken of je op die manier het systeem kunt manipuleren.
+
+Sheet 19
+Static testing:
+Naast source code kun je ook gecompileerde code handmatig testen (zonder het te runnen)
+
+Sheet 34
+Common Software Vulnerabilities:
+* [OWASP](https://owasp.org/www-community/vulnerabilities/) Open Web Application Security Project, oorspronkelijk voor web applicaties
+* [Common Weakness Enumeration](https://cwe.mitre.org)
+
+Sheet 35
+Cross-site scripting: code (‘applets’ ) op een website wordt vervangen door malicious code. Dit is een manier om een groot aantal clients te infecteren.
+
+Cross-site request forgery: opzoeken
+
+## Sheet 49
+Other examples of security metrics:
+* Time between release and implementation of patches
+* Time between occurrence of a security incident and its detection
+* (need to improve intrusion detection and prevention, logging and awareness)
+* Number of systems running the latest version of anti-virus software
+
+NIST SP 800-137 is standaard voor ISCM – Information Security Continuous Monitoring
+
+NIST SP 800-53 is eq. van ISO 27001 / 27002 
+
+## Sheet 58 e.v.
+De SOC reports kennen een type 1 en type 2:
+* Type 1: bestaan van de maatregelen (gedocumenteerd en geïmplementeerd
+* Type 2: effectiviteit van de maatregelen 
+

Corpus/Standards/CISSP/CISSP_Domain_7_1.md

@@ -0,0 +1,37 @@
+# Domein 7-I Security Operations
+
+Docent: Bart Baars
+
+Sheet 7:
+Operational Resilience gaat echt over de Operations van een organisatie, dus de traditionele productie-omgeving
+
+Veel organisaties hanteren tegenwoordig het uitgangspunt: informatie is vrij, tenzij ...
+Is volgens Bart goed te verenigen, als je je classificatie maar op orde hebt.
+
+Sheet 14:
+Er zijn meerdere modellen voor access control, bijv
+Attribute Based Access Control
+
+Sheet 31, laatste bullet:
+Cloud services bieden vaak ‘encrypted storage’; punt is dan wel wanneer die encryptie plaatsvindt en wie de sleutel heeft.
+
+Sheet 32
+Block Virtualization: *computer* beheert file system, alleen specifieke computer kan naar file system schrijven
+Meerdere hard disks staan onder beheer van een Virtual Block Device. Die stelt een aantal blocks beschikbaar in de vorm van een virtuele harde schijf. De computer die de virtuele schijf benadert zet zijn eigen file system er op.
+Een block kan maar op één client device tegelijkertijd gemount worden.
+
+File Virtualization: *netwerk* beheert file system, meerdere computers kunnen naar file system schrijven
+De ‘dinges’ biedt virtueel een file systeem aan dat door meerdere client computers tegelijkertijd benaderd kan worden.
+
+Sheet 40
+IDS is passief, het signaleert de intrusion attempt. Als het ook actief blokt, noemen we het een Intrusion Prevention System (IPS)
+
+Sheet 56
+RPO = Return Point Objective (hoeveel data wil je maximaal kwijtraken / hoeveel data moet de backup bevatten)
+RTO = Return Time Objective (hoever terug in de tijd)
+MTD = Maximum Tolerable Downtime
+
+Sheet 57
+Differential backup: het verschil t.o.v. Day 0 wordt opgeslagen
+Incremental backup: het verschil t.o.v. De vorige backup wordt opgeslagen
+

Corpus/Standards/CISSP/CISSP_Domain_8.md

@@ -0,0 +1,11 @@
+# Domain 8 - Security in the SDLC
+
+Docent: [Bas van den Berg](https://www.linkedin.com/in/basvdb)
+
+Security bij Software development ligt lastig, want:
+* Geen prioriteit/aandacht
+* Kosten
+* Complexiteit (regels code, stack)
+
+MacOS ca 30 miljoen regels code, 10% foutpercentage
+

Corpus/Standards/CISSP/CISSP_OSG8_D1_C1_1.10.md

@@ -0,0 +1,63 @@
+## Threat Modelling Concepts and Methodologies
+
+(p.31)
+
+## Identifying threats
+
+### STRIDE
+STRIDE (from Microsoft) is often used in assessing threats against applications or OSs.
+
+STRIDE’s six threat concepts are:
+* Spoofing
+* Tampering
+* Repudiation
+* Information disclosure
+* Denial of service
+* Elevation of Privilege
+
+### PASTA
+~PASTA is a threat modeling methodology~. The Process for Attack Simulation and Threat Analysis is risk-centric and has seven stages:
+1. DO – Definition of Objectives (for the analysis of risks)
+2. DTS – Definition of the Technical Scope
+3. ADA – Application of Decomposition and Analysis
+4. TA – Threat Analysis
+5. WVA – Weakness and Vulnerability Analysis
+6. AMS – Attack Modeling and Simulation
+7. RAM – Risk Analysis and Management
+
+Trike is also a risk based threat modeling methodology.
+
+### VAST
+Visual, Agile, and Simple Threat (VAST) modeling is based on Agile principles. The goal is to integrate threat and risk management into an Agile programming environment.
+
+### OCTAVE
+see Defensive Security Handbook [Chapter 1: Risk Management](../../📚️%20Literature%20notes/Def_Sec_Handbook_Chapter_1.md#Chapter%201%20Risk%20Management)
+## Diagramming Potential Attacks
+See pp 35-36
+
+The diagram contains:
+* Elements involved in the transaction (processes, systems, users, data objects)
+* Data flows
+* Privilege boundaries
+
+## Reduction Analysis
+Reduction analysis is also known as *decomposing* the system/environment.
+
+In decomposing you identify five key concepts:
+* Trust boundaries
+* Data flow paths
+* Input points
+* Privileged operations
+* Details about security stance and approach (active security policies and assumptions)
+
+## Prioritization and Response
+Document the threats by defining the means, targets and consequences of a threat.
+After documentation, the threats are ranked or rated. There are different techniques for that, e.g. by probability x potential damage, or DREAD.
+
+The **DREAD threat-rating system** is based on five main questions about each threat:
+* Damage potential
+* Reproducibility (how hard is it for attackers to reproduce the exploit)
+* Exploitability (how complex is it to perform the exploit)
+* Affected users (percentage)
+* Discoverability (how hard is it to discover the weakness)
+

Corpus/Standards/CISSP/CISSP_OSG8_D1_C1_1.11.md

@@ -0,0 +1,18 @@
+## Apply Risk-Based Management Concepts to the Supply Chain
+
+(p.39-40)
+For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy. The security requirements for new hardware, software, or services should always meet or exceed the security of your existing infrastructure. When working with an external service, be sure to review any service-level agreement (SLA) to ensure that security is a prescribed component of the contracted services. This could include customization of service-level requirements for your specific needs. 
+
+When evaluating a third party for your security integration, consider the following processes:
+
+- On-Site Assessment
+- Document Exchange and Review (investigate the means by which datasets and documentation are exchanged, and the formal processes fro assessments and reviews)
+- Process/Policy Review
+- Third-Party Audit
+
+Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 39). Wiley. Kindle Edition. 
+
+Here are some excellent resources related to security integrated with acquisition: 
+
+- Improving Cybersecurity and Resilience through Acquisition. Final Report of the Department of Defense and General Services Administration, published November 2013 (www.gsa.gov/portal/getMediaData?mediaId=185371) 
+- NIST Special Publication 800-64 Revision 2: Security Considerations in the System Development Life Cycle (http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf)

Corpus/Standards/CISSP/CISSP_OSG8_D1_C2_1.8.4.md

@@ -0,0 +1,7 @@
+## Vendor, consultant, and contractor agreements and controls
+(p.60)
+Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. Often these controls are defined in a document or policy known as a service-level agreement (SLA).
+
+The following issues are commonly addressed in SLAs: System uptime (as a percentage of overall operating time) Maximum consecutive downtime (in seconds/minutes/and so on) Peak load Average load Responsibility for diagnostics Failover time (if redundancy is in place) SLAs also commonly include financial and other contractual remedies that kick in if the agreement is not maintained.
+
+SLAs should include a focus on protecting and improving security in addition to ensuring quality and timely services at a reasonable price.

Corpus/Standards/CISSP/CISSP_OSG8_D1_C4.md

@@ -0,0 +1,17 @@
+## Contracting and Procurement 
+(p.150-..)
+The increased use of cloud services and other external vendors to store, process, and transmit sensitive information leads organizations to a new focus on implementing security reviews and controls in their contracting and procurement processes. Security professionals should conduct reviews of the security controls put in place by vendors, both during the initial vendor selection and evaluation process and as part of ongoing vendor governance reviews. 
+
+These are some questions to cover during these vendor governance reviews: 
+
+- What types of sensitive information are stored, processed, or transmitted by the vendor? 
+- What controls are in place to protect the organization’s information? 
+- How is our organization’s information segregated from that of other clients? 
+- If encryption is relied on as a security control, what encryption algorithms and key lengths are used? How is key management handled? 
+- What types of security audits does the vendor perform, and what access does the client have to those audits? 
+- Does the vendor rely on any other third parties to store, process, or transmit data? How do the provisions of the contract related to security extend to those third parties? 
+- Where will data storage, processing, and transmission take place? If outside the home country of the client and/or vendor, what implications does that have? 
+- What is the vendor’s incident response process, and when will clients be notified of a potential security breach? 
+- What provisions are in place to ensure the ongoing integrity and availability of client data?
+
+(p.149) Do not use vendor-supplied defaults for system passwords and other security parameters.

Corpus/Standards/CISSP/CISSP_OSG_Chapter_11.md

@@ -0,0 +1,16 @@
+See also [CISSP_Domain_4](CISSP_Domain_4.md)
+
+# Chapter11 – Secure Network Architecture
+
+## OSI model
+
+All People Seem To Need Data Protection
+
+* 7. Application
+* 6. Presentation
+* 5. Session
+* 4. Transport
+* 3. Network
+* 2. Data
+* 1. Physical
+

Corpus/Standards/CISSP/CISSP_OSG_Chapter_14.md

@@ -0,0 +1,8 @@
+# Chapter 14 – Controlling and Monitoring Access
+
+### Understanding access control attacks
+
+Threat Modeling Approaches (p. 640):
+* Focused on Assets
+* Focused on Attackers
+* Focused on Software

Corpus/Standards/CISSP/CISSP_OSG_Chapter_15.md

@@ -0,0 +1,18 @@
+# Chapter 15 – Security Assessment and Testing
+
+## Common TCP ports
+Expected to be open on a webserver:	
+	* HTTP = 80
+	* HTTPS = 443
+
+Rest should at least be filtered.
+
+	* SSH = 22
+	* Telnet = 23
+	* SMTP = 25
+	* DNS = 53
+	* POP3 = 110
+	* NTP = 123
+	* SQL = 1433
+
+ See p 675 for more.

Corpus/Standards/CISSP/CISSP_OSG_Chapter_18.md

@@ -0,0 +1,7 @@
+# Chapter 18 – Disaster Recovery Planning
+
+### Recovery vs. Restoration
+
+Recovery involves bringing business operations and processes back online, often at a recovery site.
+
+Restoration involves bringing the facilities and environment back to a workable state.

Corpus/Standards/CISSP/CISSP_OSG_Chapter_19.md

@@ -0,0 +1,21 @@
+# Chapter 19 – Investigations and Ethics
+
+### Code of Ethics Canons
+
+1. Project **society**, the common good, trust and confidence
+2. Act honorably, **honestly**, justly responsibility and legally.
+3. Provide diligent and competent services to principles **boss**
+4. Advance and protect the **profession**
+
+### Electronic Discovery
+
+The Electronic Discovery Reference Model has nine steps:
+1. **Information Governance** ensures information is well organized
+2. **Identification** locates the information that may be needed to be produced in response to a discovery request
+3. **Preservation** protection of information against alteration or deletion
+4. **Collection** of information in a central location
+5. **Processing** screens and filters the information to reduce the amount
+6. **Review** examines the information to determine what information is ‘responsive’ to the request and what information is protected under attorney-client privilege 
+7. **Analysis** deeper inspection of the information
+8. **Production** places the information in a format to be shared with others
+9. **Presentation** is displaying the information to relevant parties (witnesses, the court, etc.)

Corpus/Standards/CISSP/CISSP_OSG_Chapter_2.md

@@ -0,0 +1,15 @@
+# Chapter 2 – Personnel Security and Risk Management Concepts
+
+### Quantitative Risk Analysis
+
+* Probability: Annualized Rate of Occurrence (ARO)
+* Single Impact: Single Loss Expectancy (SLE)
+SLE ($) = Asset Value ($) x Exposure Factor (%)
+
+* Annual impact: Annual Loss Expectancy (ALE)
+ALE ($) = SLE x ARO
+
+SLE = AV x EF
+ALE = SLE x ARO
+
+

Corpus/Standards/CISSP/CISSP_OSG_Chapter_3.md

@@ -0,0 +1,132 @@
+# Chapter 3 – Business Continuity Planning
+
+BC = Business Continuity (strategic, high level focus on business processes)
+DR = Disaster Recovery (more tactical, focus on technical activities)
+
+Business Continuity Planning is an ongoing organisational process. The **goal of BCP planning** is to implement and maintain policies, procedures and processes to mitigate the impact of disruptive events.
+
+Domain I, sheet 62:
+• DR planning can be seen as a subset of BC planning
+• The BC Plan is carried out when critical business processes are (threatened to be) interrupted
+• The DR Plan is carried out after a disaster has actually happened and the organization is in 'emergency' mode
+
+1. Project initiation 
+2. Developing a plan
+
+
+The **deliverables** are a set of approved and implemented policies, procedures and processes to:
+* Continue mission-critical operations with reduced capabilities or resources
+* Enhance a company’s ability to recover from disaster promptly
+
+**The BCP process has three phases:**
+* BCP Development (developing a set of approved policies, ... )
+* BCP Testing, Training and Maintenance
+* BCP Implementation (having resources availability for when disaster strikes) 
+
+**BCP development has four stages:**
+* Project Scope and Planning
+* Business Impact Assessment
+* Continuity Planning
+* Approval and Implementation (of the policies, ... )
+
+The result of the BCP development (or design) phase is the BCP document, a set of approved policies, procedures and processes, including an Implementation Plan.
+
+## Project Scope and Planning
+This stage is the preparation for creating the BCP, it involves four steps:
+* Business organization analysis (BOA)
+* BCP team selection
+* Determining resource requirements
+* Identifying legal and regulatory requirements
+
+### Business organization analysis (BOA)
+
+Identify:
+* stakeholders (departments and individuals)
+* core business processes
+* critical support services (e.g. IT, facilities mgt, maintenance)
+* Physical security teams (often first responders)
+* Senior executives
+
+One of the first tasks of the BCP Team should be reviewing the BOA.
+
+
+### BCP team selection
+
+At minimum:
+* Representatives of all departments involved in core business processes
+* Representatives of critical support services
+* IT subject matter experts
+* Cybersecurity team members
+* Physical security team members
+* Facility mgt team members
+* Attorneys (for legal and regulatory requirements)
+* Public relations team members
+* Senior mgt representatives
+
+### Determining resource requirements
+
+Resources are needed in three BCP phases:
+* BCP Development – involves project scope, Business Impact Assessment, Continuity Planning and Approval and Implementation (of the policies, ... )
+* BCP Testing, Training and Maintenance – requires hardware, software and people
+* BCP Implementation – having resources availability for when disaster strikes
+
+### Identifying legal and regulatory requirements
+
+Some organizations are required to operate, by law: police, healthcare, banks, etc., or by contractual obligation (as in SLA’s).
+ 
+## Business Impact Assessment
+After the stage of Project scope and planning has been conducted, it’s time to start with the core stage of BCP development: Business Impact Assessment.
+BIA identifies the critical resources and the threats imposed on them.
+
+BIA involves:
+1. Priority identification
+2. Risk identification
+3. Likelihood assessment
+4. Impact assessment
+5. Resource prioritization
+
+**Priority identification:** rank business processes in order of importance (qualitative, ask each department to rank it’s functions and then combine). Then combine a list of Assets, assign an Asset Value for each, and set the Maximum Tolerable Downtime (quantitative).
+Third, define the Recovery Time Objective for each business function.
+Now you can design and plan the procedures necessary for recovery.
+
+The goal of the BCP process is to make your RTO’s less than your MTD’s, so no business function is unavailable for longer than is acceptable.
+
+**Risk identification:** purely qualitative. Identify natural and man-made risks. Include risks and impact on service providers and cloud vendors; verify that they have the controls in place to deliver on their contractual commitments (e.g. SOC-2 or SOC-3).
+
+**Likelihood assessment:** expressed in Annualized Rate of Occurrence (ARO). That is the number of times you expect a certain risk to materialize each year. Based on corporate history, professional experience, expert advice, public and proprietary sources (e.g. government organizations and insurance firms).
+
+**Impact assessment:** what impact could occur on assets through risks materializing. Calculate the Single Loss Expectancy by multiplying the Exposure Factor and the Asset Value: SLE = AV x EF.
+The Exposure Factor is the potential loss of value the risk poses to the asset, expressed as a percentage.
+Then multiply the Single Loss Expectancy with the Anual Rate of Occurence to get the Anualized Loss Expectancy: ALE = SLE x ARO.
+Also consider qualitative impact like reputation damage and social/ethical responsibilities.
+
+**Resource prioritization:** sort the identified risks by Anualized Loss Expectancy and work down the list until “you’ve run out of available resources” [that will actually happen in the Continuity Planning stage].
+
+## Continuity Planning
+This stage focuses on developing a strategy to minimize the *impact* of risks once they materialize.
+
+Sub tasks of Continuity Planning are:
+* Strategy development
+* Provisions and processes
+* Plan approval
+* Plan implementation
+* Training and education
+
+During **Strategy development** you determine which risks will be mitigated and which risks will be accepted, considering Maximum Tolerable Downtime and likelihood.
+
+In the **Provisions and processes** phase the BCP team designs the measures that will mitigate the impact on three categories of assets: people, buildings and facilities, and infrastructure.
+People should be able to conduct both their BCP and operational tasks as normal as possible. 
+Buildings and facilities should be ‘hardened’ by protective measures and if that’s not feasible, alternative sites should be identified.
+The same goes for Infrastructure, like IT backbone, transport systems and power supply: systems should be *physically* hardened, or redundancy should be introduced.
+
+## Approval and Implementation
+The BCP document needs endorsement by top-level management. After that, the actual implementation starts. This means developing an implementation schedule to achieve the designed processes and provisions.
+
+The implementation includes:
+* Training of people directly involved in the BCP activities (incl backups) and education of all personnel. 
+* Documenting the BCP methodology, including continuity planning goals, risk assessments and risk treatment
+* Publishing and distributing a Statement of Importance, Statement of Priorities, Statement of Organizational Responsibility, Statement of Urgency and Timing
+* A Vital Records program
+* Emergency-Response guidelines, with immediate response procedures, people to be notified, secondary response procedures (i.e. procedures that first responders should take while waiting for the BCP team to assemble)
+* Maintenance procedures for the Business Continuity Plan
+* Test and Exercise program (see also Chapter 18)

Corpus/Standards/CISSP/CISSP_OSG_Chapter_4.md

@@ -0,0 +1,126 @@
+# Chapter 4 – Laws, Regulations and Compliance
+
+Three main categories of law:
+* Criminal law
+* Civil law
+* Administrative law
+
+Subjects in Civil law include contract disputes, real estate transactions, and employment matters.
+Administrative law covers the policies, procedures and regulations of government agencies.
+
+Civil law = Burgerlijk Recht, Administrative law = Bestuursrecht
+
+## Cybersecurity laws
+The **Comprehensive Crime Control Act of 1984**covered actions that targeted or used federal computer systems.
+The **Computer Fraude and Abuse Act (CFAA)** extended that to cover all “federal interest” computers: offenses on computers used by the US government, financial institutions, and combinations of computers in different states.
+The **Computer Abuse Amendments Act (CAAA) of 1994** included: creation of malicious code, any computer used in interstate commerce, allowed for imprisonment of offenders and for the victims to pursue civil action.
+
+The **Federal Sentrencing Guidelines (1991)** provided punishment guidelines and formalized the *prudent man rule*: senior executives are personally responsibility for ensuring due care, but punishment is minimized if due diligence is demonstrated.
+Proof of negligence has three burdens: the person accused must have a legally recognized obligation, must have failed to comply with recognized standards, and there must be a causal relationship between the negligence and subsequent damages.
+
+The **National Information Infrastructure Protection Act of 1996** broadens CFAA to cover computer systems in international commerce, national infrastructure other than computers, and treats any intentional or reckless act against them as a felony.
+
+The **Federal Information Security Management Act (FISMA) of 2002** requires federal agencies to implement an information security program, and include the activities of contractors in it.
+
+The NIST (National Institute of Standards and Technology) outlines eight elements of an effective information security program:
+1. Periodic assessments of risk
+2. Policies and procedures based on risk assessments
+3. Subordinate plans for providing adequate information security
+4. Security awareness training for personel to comply with relevant policies
+5. Periodic testing and evaluation of policies and controls
+6. A process for planning, implementing, evaluating and documenting remedial actions
+7. Procedures for detecting, reporting and responding to incidents
+8. Continuity plans
+
+### 2014 Federal Cybersecurity Laws
+
+* FISMA – Federal Information Security *Modernization* Act centralized federal cybersecurity responsibility with the Department of Homeland Security, with the exceptions of defense-related and intelligence-related issues.
+* Cybersecurity Enhancement Act gives NIST the responsibility for nationwide voluntary standards. Commonly used are NIST SP 800-53 (controls for federal information systems) and the similar NIST SP 800-171 (protecting unclassified information in non-federal systems and organizations). The NIST Cybersecurity Framework (NCF) is a voluntary risk-based framework. 
+* National Cybersecurity Protection Act: Homeland Security is charged with establishing a national center to shared risks, incidents, analysis and warnings between federal and civilian organizations.
+
+## Intellectual Property laws
+Four major types: copyrights, trademarks, patents, and trade secrets.
+
+**Copyright law** guarantees creators of original works protection against unauthorized duplication. Ownership defaults to the creator, except when he/she was “hired” by an employer or on the base of a contract.
+Before the DMCA, software was copyrighted under the scope of literary works, but only the literal source code was protected, not the ideas or process behind it.
+Protection is for 70 years after the death of the author, and for ‘works for hire’ 95 years after publication or 120 years after date of creation.
+
+**1998 DMCA Digital Millennium Copyright Act**. Brought the US copyright law in line with the WIPO treaties (World Intellectual Property Organization).
+The DMCA prohibits attempts to circumvent copy protection mechanisms. It also limits the liabilities of ISP’s for the transmitted materials, assigning them the same “common carrier” status as phone companies.
+For ISP’s to qualify for the exemption, they may not be the initiator of the transmission, all activities should be carried out automatically, the ISP must not choose the receivers, no intermediate availability to others except the intended receiver, not kept longer then necessary, and no modification of the material.
+
+**Trademarks** protect words, slogans, and logos that identify a company and it’s products. The main objective is to avoid confusion while protecting intellectual property rights of people and organizations.
+
+**Patents** protect inventions. For 20 years from the application date. Patents have three main requirements: the invention must be new, useful and not obvious.
+
+**Trade secrets** are intellectual properties that are critical to business, and when disclosed, would cause damage to the company. Copyrights and patents are not effective here, because they require disclosure when they are filed and the duration of the protection is limited.
+To preserve Trade Secret status you must implement adequate controls and use NDA’s.
+Software is best protected by Trade Secret protection.
+
+The Economic Espionage Act of 1996 prohibits stealing trade secrets from US corporations and has extra highs fines if it is done with the intention of benefiting a foreign government or agent. It gives teeth to Trade secrets protection.
+It extended the definition of theft as involving physical property, to include proprietary economic information.
+
+
+## Licensing
+Four common types of license agreements exist:
+* Contractual license agreements: written contract between vendor and customer
+* Shrink-wrap license agreements: written on the box
+* Click-through or Click-wrap license agreements: click to agree with the terms
+* Cloud service license agreements: the same, but sometimes just a link to legal terms.
+
+## Import/export regulations
+Two sets of federal regulations are of interest:
+* ITAR (International Traffic in Arms Regulations) controls the export of items that are specifically designed for military use, including technical information about them. The items are listed on the United States Munitions List (USML)
+* EAR (Export Administration Regulations) includes items that may have military applications. They are listed on the Commerce Control List (CCL). It includes a category covering information security products.
+
+Currently high-performance computing can be sold to any country except those imposing nuclear threats.
+
+Under previous regulations almost no encryption products could be exported, putting US companies at a great competitive disadvantage. This is now easened for ‘retail and mass market security software’.
+
+## Privacy
+The US Constitution does not explicitly provide a right to privacy. The Fourth Amendment is the basis for US privacy rights: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”.
+
+The **Privacy Act of 1974** limits the ability of government agencies to disclose private information from individuals to others without prior written consent. 
+Agencies can only keep records that are necessary and no longer than needed. It regulates access to records by individuals and the right to request amending incorrect records. It applies *only* to government agencies.
+
+The **Electronic Communications Privacy Act (ECPA) of 1986** prohibits the interception or disclosure of electronic communication, including email, voicemail and mobile telephone conversations. (In the previous Federal Wiretap Act only communications ‘over the wire’ where protected).
+
+The **Communications Assistance for Law Enforcement Act (CALEA) of 1994** requires all communications carriers to make wiretaps possible for law enforcement.
+
+The Economic Espionage Act of 1996, with its inclusion of proprietary economic information, also has privacy implications.
+
+The **Health Insurance Portability and Accountability Act (HIPAA) of 1996** governs health insurance and health maintenance organizations (HMOs) and requires strict security measures for all organizations that process private medical data about individuals. It also defines the rights of the subjects.
+
+The **Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009** is an amendment to HIPAA and extends the requirements to organizations handling PHI on behalf of a HIPAA covered entity. HITECH also introduced new data breach notification requirements (notifying affected individuals, the Secretary of Health and the media).
+
+PHI = Protected Health Information
+
+The **Children’s Online Privacy Protection Act (COPPA) of 1998** covers websites that cater to children or knowingly collect information about them. They must have a privacy notice, parents must consent and have the opportunity to review collected information.
+
+The **Gramm-Leach-Bliley Act (GLBA) of 1999** relaxed the regulations on information exchange between banks, insurance companies and credit providers. It included limitations of the types of information that could be exchanged.
+
+The **USA PATRIOT Act of 2001** broadened the powers of law enforcement and intelligence organizations. Wiretapping warrants where no longer on a ‘per circuit’ basis but allowed for blanket authorization for a person across different media. Also, ISPs may voluntarily provide a large range of information. The government may obtain detailed information on user activity through subpoenas.
+It expired in 2015 but was promptly restored through the USA Freedom Act, which was renewed in March 2020.
+
+The **Family Educational Rights and Privacy Act (FERPA)** affects government funded educational institutions.
+
+The **Identity Theft and Assumption Deterrence Act** of 1998 makes identity theft a crime against any person, not just against defrauded creditors.
+
+### US Privacy Shield
+US Privacy Shield contains seven requirements:
+- Informing individuals about data processing
+- Providing free and accessible dispute resolution
+- Cooperating with the US Department of Commerce
+- Maintaining data integrity and purpose limitation
+- Accountability for transfer to third parties
+- Transparency on program enforcement actions
+- commitments are kept as long as data is held, even after exiting Privacy Shield.
+
+### Privacy in the Workplace
+In US law, privacy is only guaranteed when there is a “reasonable expectation of privacy”. This does not extent to the use of employer-owned equipment and networks in the workplace.
+
+### Compliance to regulations
+
+The PCI DDS (Paynment Card Industry Data Security Standard) is an example of compliance requirement by contractual obligation (between a business that accepts credit cards and the bank that processes the transactions).
+
+Organizations must accept audits, for instance to ensure compliance with SOX (Sarbanes-Oxley Act). The often must report regulatory compliance to internal and external stakeholders.

Corpus/Standards/CISSP/CISSP_OSG_Chapter_5.md

@@ -0,0 +1,143 @@
+# Chapter 5 – Protecting Security of Assets
+
+## Identify and Classify Assets
+One of the first steps in asset security is identifying and classifying (information) assets.
+Assets include sensitive data, the hardware used to process it, and the media that holds it.
+
+### Defining sensitive data
+Sensitive data is any information that isn’t public or unclassified.
+**Personal Identifiable Information (PII)** is information that can identify an individual.
+**Protected Health Information (PHI)** is health-related information that can be related to a specific person. HIPAA further defines it as information that “is created or received by a health care provider, health plan, public health authority, *employer, life insurer, school or university*, or health care clearinghouse”. 
+**Proprietary data** is any data that helps an organization maintain a competitive edge.
+
+### Defining data Classifications
+A *data classification* identifies the value of the data to the organization. Classification labels, the method by which they are assigned, and the required protection associated with the different labels, are identified in a policy.
+US government uses the following classifications:
+* **Top Secret**: unauthorized disclosure causes ~exceptionally grave damage~ damage to national security.
+* **Secret**: unauthorized disclosure causes ~serious damage~ to national security.
+* **Confidential**: unauthorized disclosure causes ~damage~ to national security.
+* **Unclassified**: any other data.
+(So Top Secret = exceptionally grave damage | Secret = serious damage | Confidential = damage)
+
+Anything above ‘unclassified’ is considered **sensitive data**.
+
+Unclassified is sometimes further subclassified as FOUO and SBU (For Office Use Only and Sensitive But Unclassified - the IRS uses SBU for individual tax records).
+
+While the above classifications are government/military oriented, there are also civilian/commercial classifications:
+* **Confidential or Proprietary**: a breach causes ~exceptionally grave damage~ to the mission of the organization. 
+* **Private**: a breach causes ~grave damage~ to the mission of the organization. PII and PHI data are often labeled as Private.
+* **Sensitive**: a breach causes ~damage~ to the mission of the organization. As an example, data about an organization’s IT infrastructure may be considered Sensitive.
+* **Public**: confidentiality is no issue, but integrity may be.
+
+Again, sensitive information is any information that isn’t public or unclassified. 
+
+### Asset Classifications and Security Controls
+The above classifications also apply to hardware assets. Asset classification should match data classifications: if a system processes top secret data, the system should be classified as a top secret asset.
+
+After data and asset classifications have been defined, security requirements and security controls can be identified. Management decides on a data security policy that dictates the use of specific security “controls” (requirements ?) for each category.
+Security administrators use the requirements from the security policy to identify controls.
+
+### Data states
+* **Data at Rest** is data stored on media
+* **Data in Transit** (or data in motion) is data transmitted over a network
+* **Data in Use** is data in use by an application; it may reside in memory or in  temporary storage buffers.
+
+Organization can mark USB drives for use for storing classified data by using a Universally Unique IDentifier (UUID) that can be recognized by Data Loss Prevention (DLP) systems, ensuring data is encrypted before copying it, or preventing copying by users.
+
+Secure transportation of media is referred to as ‘handling’
+
+### Declassification
+For re-purposing, media or systems can be downgraded to a less sensitive classification. It must be sanitized before doing so and organizations should have procedures for that.
+Be aware that the value of sensitive data is much greater than the value of the media holding it. The efforts required for secure sanitization are often much greater than the cost of new media.
+In most cases it’s better to destroy (classified) media, than to re-use it.
+
+### Destroying sensitive data
+Destroying data should follow a procedure based on the data’s classification. NIST SP 800-88r offers “Guidelines for Media Sanitization”. Sanitization can refer to the destruction of media or purging it using a trusted method.
+
+**Data remanence** is the residual data that remains on a medium after is was supposedly erased. Data remanence can be removed with a degausser, but from magnetic media only. 
+
+**Erasing** media is simply performing a delete, which only removes the directory reference to the data, but not the data itself.
+
+In **Clearing** or overwriting, the classified data is overwritten with unclassified (or random) data on all addressable locations of the media. Sometimes this is done in multiple passes with different data patterns.
+This doesn’t work equally well for all media types and sometimes parts of the original data can be retrieved using special techniques. 
+
+**Purging** is more thorough then clearing: by definition it provides the assurance that the data is not recoverable with any known methods. It isn’t always trusted in practice.
+
+**Destruction** should lead to a state where the media cannot be reused or repaired, and no data can be extracted from it anymore. It is the most secure method of sanitization.
+
+Degaussing isn’t recommended for Hard Disks as it destroys the electronics. SSD’s are remarkably resilient against any traditional methods of sanitization and can best be destructed. Alternatively all data on the SSD can be encrypted, making it unreadable.
+
+You should always verify, after a sanitization process, that the desired result has been achieved.
+
+### Asset Retention
+Retaining important information for as long as it is needed is called *record retention*. Laws and regulation often have requirements for record retention.
+*Hardware retention* is retaining the hardware until it has been properly sanitized.
+*Personnel retention* refers to the knowledge personnel acquire about the organization, confidentiality is commonly covered through NDA’s.
+
+### Protecting data with Symmetric Encryption
+
+Some commonly used symmetric encryption algorithms:
+* Advanced Encryption Standard (AES). Selected by NIST as the replacement for the older Data Encryption Standard (DES) in 2001. The US government has approved it for top secret data. Microsoft’s BitLocker and Encrypting File System (EFS) use AES for file encryption. AES supports 128/192/256 bit keys.
+* Triple DES or 3DES was created as a DES replacement. It is used for smart payment cards. 3DES supports 56/112/168 bit keys.
+* Blowfish was also created as a DES replacement. Linux systems use ‘bcrypt’ to encrypt passwords. Key sizes of 32 bits to 338 bits are supported. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks.
+
+### Protecting data withTransport Encryption
+Sniffing attacks are the primary risks when sending unencrypted data over a network. Sniffing attacks use protocol analyzers, or ‘sniffers’.
+Web browsers use HTTPS to encrypt e-commerce’s transactions (HyperText Transfer Protocol Secure). The underlying encryption protocol is TLS (Transport Layer Security). Before that, SSL (Secure Sockets Layer) was used but in 2014 a vulnerability to the POODLE attack was discovered.
+
+For remote administrative tasks, Telnet through an encrypted VPN tunnel is not acceptable. Although the traffic from the client to the VPN server is encrypted, the traffic from the VPN server to the Telnet server is not! One should use SSH, SCP or SFTP (Secure Shell, Secure Copy or Secure FTP).
+
+## Ownership
+The **data owner** or **information owner** has ultimate organizational responsibility for the data. It is typically the CEO or a departmental manager. Data owners identify the classification of data and ensure its proper labeling. They also ensure the data has adequate security controls based on its classification.
+Data owners may be liable if they fail to perform due diligence.
+
+NIST SP 800-18 outlines the information owner’s responsibilities as:
+* Establish the rules of behavior (for appropriate use and protection of the data)
+* Provide input to system owners regarding security requirements and controls
+* Decide who has access and with what privileges or access rights
+* Assist in the identification and assessment of security controls.
+
+Rules of Behaviour and Acceptable Use Policy (AUP) are effectively the same thing.
+
+A data owner often delegates everyday tasks to a **data custodian**. The data custodian ensures that data is properly stored and protected, for instance by making sure the data is backed up and auditing logs are kept. Data custodians are typically system security administrators and/or part of the IT department.
+
+The **asset owner** or **system owner** owns the asset or system that processes sensitive data. He/she is responsible for the secure processing of data on that system, for the highest level of data the system processes.
+
+The system owner:
+* Develops a system security plan
+* Maintains the system security plan
+* Ensures that personnel receives appropriate security training and instructions (e.g. rules of behaviour or AUP)
+* Assist in the identification, implementation and assessment of security controls.
+
+The role of **business or mission owners** differs per organization. They might own business processes and/or be responsible for ensuring that systems provide value to the organization, though they are not the owners of the systems themselves. Often conflict arises between business owners and IT owners. The implementation of IT governance methods such as COBIT may help to balance security control requirements with business needs.
+
+A **data administrator** is responsible for granting appropriate access and assigning permissions to personnel, based on the principles of least privilege and need to know.
+
+
+## Data Processors
+Under GDPR a data processor is an entity that processes personal data on behalf of a data controller.
+
+The EU-US Privacy Shield is a self-certification mechanism to ensure GDPR compliant transfer of personal data for processing in the US.
+
+The core Privacy Shield principles are:
+* *Notice*: informing individuals about the purposes of processing their data
+* *Choice*: offer individuals the possibility to opt-out
+* *Accountability for Onward Transfer*: data may only be transferred to other organizations if they comply with the ~Notice and Choice~ principles.
+* *Security*: organizations must take reasonable precautions to protect personal data.
+* *Data Integrity and Purpose Limitation*: only collect data that is needed for the purposes communicated under the Notice principle.
+* *Access*: individuals must have access to their data
+* *Recourse, Enforcement, and Liability*: organizations must implement mechanisms to ensure compliance and to handle individual complaints.
+
+**Pseudonymization** refers to the replacement of data with ‘artificial identifiers’, like arbitrary patient numbers in medical records. It is similar to *tokenization*. When performed effectively, less stringent GDPR requirements apply. Pseudonymization (tokenization) can be reversed.
+
+**Anonymization** is the process of removing all data that can lead to the identification of a person. If done effectively, the GDPR no longer applies.
+
+*Data masking* can be an effective method of anonymization. Masking swaps data items in individual database columns, so that records no longer represent actual data, but aggregate values are maintained (e.g. for scientific or statistical purposes). Data masking cannot be reversed.
+
+## Using Security Baselines
+Baselines define the minimum security standard. NIST SP 800-53 discusses security control baselines and includes a comprehensive list of controls, prioritized as low-impact, moderate-impact and high-impact (referring to the possible effects of a compromise of confidentiality, integrity or availability).
+The low-impact category mainly consists of basic security practices, like access control policies, backup policies and imaging.
+
+Selecting the applicable controls for a certain system from a list of baseline security controls is called **scoping**. **Tailoring** refers to modifying the baseline list to align with an organization’s mission.
+
+

Corpus/Standards/CISSP/CISSP_OSG_Chapter_6.md

@@ -0,0 +1,118 @@
+# Chapter 6 – Cryptography
+
+## Basics
+The **goals of cryptography** are confidentiality, integrity, authentication and nonrepudiation.
+
+For **integrity** you can use message digests (hashes), or more advanced,   digital signatures (encrypted message digests).
+
+**Authentication** can be provided by a challenge-response technique: the receiver of a message sends a challenge back to the sender (“encrypt this text with our secret key”). If the original receiver can then decode the encrypted text back to the original, he/she knows the sender uses their shared secret key.
+
+**Nonrepudiation** is provided by public key or asymmetric crypto systems.
+
+The **Kerckhoffs Principle** states that a cryptographic system is most secure if everything about it, except the key, is public knowledge.
+
+Cryptographic keys are sometimes called *cryptovariables*.
+
+A **nonce** (number only used once) is a random number added during an encryption process to make it harder to crack.
+
+**Zero-Knowledge Proof** is proving your knowledge of a secret fact to another party without disclosing the fact. 
+
+**Split Knowledge** is when the information, or privilege required to perform an operation, is divided between multiple users.
+*M of N Control* requires that minimum M out of N agents need to work together to perform high-security tasks.
+
+The **work function** expresses the time and effort required to perform a brute-force attack successfully. It is a measure for the strength of a cryptographic system. It should match the value of the protected asset.
+
+## Boolean mathematics
+AND operation
+Output is true if ~both~ inputs are true.
+X ⋀ Y
+
+OR operation
+Output is true if ~at least one~ of the inputs is true.
+X ⋁ Y
+
+NOT operation
+Reverses the value of the input
+∼X or !X
+
+XOR
+Output is true if ~only one~ of the inputs is true.
+X⨁Y
+
+Modulo operation
+Remainder left after a division
+8 mod 6 = 2
+6 mod 8 = 6
+
+## Ciphers
+**Substitution ciphers** replace each character of the plaintext message with another. The Caesar Cipher is a substitution cipher. It shifts each letter a number of places, e.g. A becomes C, F becomes I, etc.
+Mono-alphabetic Substitution ciphers are vulnerable to an attack called *frequency analysis*.
+Poly-alphabetic substitution ciphers, like Vigenère, protect against direct frequency analysis, but are vulnerable to *period analysis* – a second-order frequency analysis.
+
+**One-time pad** substitution ciphers are very powerful because they use a different alphabet for each substitution. C = (P+K) mod 26. Also known as Vernam ciphers. 
+
+Requirements of the one-time pad:
+* the pad must be randomly generated
+* the pad must be kept secret
+* each pad can only be used once
+* the key must be at least as long as the message itself.
+
+**Transposition ciphers** rearrange the letters of a plaintext message. They are an example of **Block ciphers**, that operate on blocks of the message.
+
+The **running key cipher** is also known as the **book cipher**.
+
+**Stream ciphers** operate on one character at a time.
+
+Cryptographic algorithms rely on confusion and diffusion. **Confusion** is when the relationship between plaintext and key is so complex, that altering the plaintext and analysing the results won’t help in finding the key.
+**Diffusion** occurs when a change in the plaintext result in multiple changes throughout the cipher text.
+
+## Symmetric vs Asymmetric key algorithms 
+In Symmetric cryptography, encryption and decryption happens with the same key, which must be known by sender and receiver. It’s also called secret key cryptography or private key cryptography.
+
+Asymmetric cryptography works with individual combinations of public and private keys. It is also known as public key cryptography.
+
+## Symmetric key algorithms 
+Rely on a single shared secret. It’s fast but not strong. 
+
+Weaknesses are:
+* key distribution (keeping it secret while communicating it to the intended receiver)
+* do not implement nonrepudiation
+* not scalable – each sender-receiver pair needs a unique key; N=n(n-1)/2
+* need for frequent regeneration of keys – if people leave a group all remaining members need new keys
+
+## Asymmetric key algorithms 
+Each user has a private and a public key. The combination of a user’s public-private keys can decrypt the message.
+
+The sender uses the public key of the receiver to encrypt the message, the receiver decrypts it with her private key.
+
+Advantages are:
+* see page 218
+* Can provide integrity, authentication and nonrepudiation. 
+
+Because of the slowness of public key cryptography, many applications use PKI to establish a secure connection, and then exchange a symmetric key for the body of the transmission. 
+
+## Symmetric Cryptography 
+### Data Encryption Standard (DES)
+DES is a 64-bit block cipher with a 56 bit key. (The specification calls for a 64 bit key but 8 of those are dor parity information). 
+
+DES operates in several modes:
+* Electronic Code Book Mode (ECB) encrypts the block with the key. A repeated plaintext block will result in a repeated cipher text block, making it easier to decipher. In practice only used for small amounts of data. 
+* In Cipher Block Chaining Mode (CBC), each block is XORed with the preceding block of cipher text, before it is encrypted. The first block of text is XORed with an Initialization Vector, which must be shared with the recipient. An important consideration is that CBC mode errors propagate throughout the text. 
+* Cipher Feedback Mode (CFB) is the streaming version of CBC. The input stream is buffered in memory until the block size is reached. 
+* Output Feedback Mode (OFB) is like CFB but chains a seed value. The advantage is that errors do not propagate. 
+* Counter Mode (CTR) uses a simple counter instead of a seed value. This allows you to break up the processing in independent steps, making it suited for parallel computing. 
+
+TripleDES or 3DES uses multiple passes, with different key combinations, see p. 222. It has an effective key length of 112 bits. 
+
+Other symmetric cryptographic algorithms are:
+* IDEA
+* Blowfish
+* Skipjack
+* Rivest Cipher 5 or RC5
+* AES
+* Twofish 
+
+Diffie-Hellman was specifically designed for exchanging secret keys. 
+
+
+

Corpus/Standards/CISSP/CISSP_OSG_Chapter_8.md

@@ -0,0 +1,91 @@
+# Chapter 8 – Principles of Security Models, Design and Capabilities
+
+
+
+### Objects and Subjects
+A Subject is the user or process that makes a request to access a resource (the object).
+**Transitive trust** is the concept that if A trusts B and B trusts C, then A inherits the trust of C. It is a serious security concern, because of possible bypassing of restrictions between A and C.
+
+A **closed system** is designed to work well with a narrow range of other systems, usually from the same manufacturer. An **open system** uses industry standards and integrates more easily.
+A closed system is harder to attack because there is less public knowledge about it.
+Because Microsoft, Apple et al support industry standards they are considered ‘open systems’.
+
+## Techniques for Ensuring Confidentiality, Integrity and Availability
+The three terms, isolation, bounds and confinement are inter-related. **Confinement** basically means ensuring that the process only reads and writes to specific resources (such as memory), whereas **bounds** refer to the authority level attached to the process which defines the specific resources it can access such as memory locations. **Isolation** means confining a process by implementing bounds.
+
+### Access Controls
+Mandatory Access Controls (MAC) use static attributes of subjects and objects, and depend on labeling them with clearance or authority levels (for subjects) and classification (for objects).
+Discretionary Access Control (DAC) allows the owner of an object to determine the rules for access.
+
+### Trust and Assurance
+A system is Trusted when all protection mechanisms work together to maintain stability and security while processing data for different users.
+Assurance is the degree of confidence in the security of a system.
+
+## Fundamental Concepts of Security Models
+...
+
+### Take-Grant Model
+The Take-Grant model dictates how rights can be transferred among subjects. A subject with a Grant right can grant *another subject or object* any right they possess (except the grant right itself).
+A subject with the Take right can take a right from any other subject.
+The Create rule allows a subject to create new rights, the Remove rule allows a subject to remove rights (but only the rights it has itself).
+
+### Access Control Matrix
+Column headers represent Objects, Row label represent Subjects.
+Capability Lists is associated with subjects (or rows).
+Access Control Lists are associated with objects (or columns).
+“Using only capability lists is a management nightmare”, because every change in an object has to be implemented on each user account.
+
+### Bell-LaPadula Model
+The Bell-LaPadula model is an information flow model, based on a state machine concept. It employs mandatory access control (MAC) and is lattice-based.
+Bell-LaPadula is focused on confidentiality.
+
+Access to an object is granted to subjects with classified levels. Properties of the Bell-Lapadula state machine:
+* ~no read-up~ (simple security property):  you can’t see what you’re not classified for.
+* ~no write-down~ (star security property): don’t share classified information below your rank. Also known as the confinement property.
+* The system uses an access matrix for discretionary access control: Need-to-Know.
+* Read-down and write-up are allowed (but you can’t look into the object you’re writing to).
+
+### Biba Model
+The Biba model is an information flow model aimed at nonmilitary organizations and focuses on ~integrity~. It is the inverse of the Bell-LP model. Properties of the Biba state machine:
+* ~no read-down~ (simple integrity property):  because you would be using less reliable data.
+* ~no write-up~ (star security property): because you would be polluting more reliable data.
+
+Biba focuses on protection from external threats only (i.e. from outside the system). It doesn’t address access control management.
+
+Note: *simple* is always about reading, *star* is always about writing.
+
+### Clark-Wilson Model
+The Clark-Wilson model also focuses on integrity for commercial organizations.
+CW ~allows modifications of data items only through a small set of programs~.
+It does not use a lattice, but *access control triples* of subject-program-object (or subject-transaction-object).
+CW uses two principles: well-formed transactions and separation fo duties.
+Well-formed transactions are enforced through programs. Each program is limited in what it can do to an object. This effectively limits the subject’s capabilities and is known as a constrained interface.
+
+Clark-Wilson defines the following:
+* A constrained data item (CDI) is a data item whose integrity is protected by the model.
+* Only Transformation procedures (TP) are allowed to modify a CDI.
+* There is an Integrity verification procedure (IVP) to confirm the integrity of objects.
+* An unconstrained data item (UDI) is a data item that is not controlled by the model and has unknown integrity.
+
+Access to information, as well as functions, is based on classification of the subject. The Clark-Wilson model enforces ~separation of duties~.
+
+### Brewer and Nash model (aka Chinese Wall)
+The Brewer and Nash model permits access controls to change based on a user’s previous activity (so it’s a kind of state machine model).
+It defines which security domains are potentially in conflict, and prevents subjects with access to one domain from accessing conflicting domains.
+This keeps users out of ~conflict-of-interest~ situations.
+
+If an action is taken on a data item, the access to any conflicting item is temporarily blocked, until the task is completed.
+
+### Goguen-Meseguer model
+The Goguen-Meseguer model is an integrity, ~noninterference~ model. Users are grouped and have only access to a list of objects, but can not interfere with members of another domain.
+
+### Sutherland model
+The Sutherland model is an integrity model, based on a state machine / information flow model. It defines a set of system states, initial states and state transitions to maintain integrity and prohibit interference.
+A common use is to ~prevent covert channels~ to influence processes.
+
+### Graham-Denning model
+The Graham-Denning model focuses on creation and deletion of subjects and objects. It has eight primary protection rules: securely create or delete objects or subjects, and securely provide read, grant, delete and transfer rights.
+It uses an access control matrix to define the specific permissions of each subject.
+
+## Select Controls based on Systems Security Requirements
+...