Studying for the CISSP: Self Check (1–4)

by

I got away from study­ing for the CISSP a cou­ple months ago when I ran into some stress­ful life sit­u­a­tions. Now that things are back in order, I’m hit­ting the books again. Last week I read Chap­ters 3 and 4, cov­er­ing Secu­rity Mod­els & Archi­tec­ture and Phys­i­cal Secu­rity respec­tively. Tonight I took the self exam­ine for each of the first four chap­ters. Need­less to say, I’m not happy with my results. This does pro­vide a nice bench­mark for me though.

0.91 (10/11)    Secu­rity Man­age­ment
0.50 (6/12)     Access Con­trol
0.45 (5/11)     Secu­rity Mod­els & Archi­tec­ture
1.00 (13/13)    Phys­i­cal Secu­rity
————————-
0.72 (34/47)    Total

Since I plan on using this blog mainly as a repos­i­tory of my thoughts below is my list of items that require fur­ther study and some quick thoughts about them.

  • Com­pul­sory — I missed the ques­tion not because I didn’t under­stand the topic and answers, but because I didn’t under­stand what com­pul­sory meant. I thought it meant “optional.” Nope, it actu­ally means: “manda­tory.” Oops!
  • Bio­met­ric Eval­u­a­tion — Here I need to know what Type I, Type II, and CER stand for.
  • Ker­beros — Even though I know it’s an authen­ti­ca­tion pro­to­col, I need to bet­ter under­stand the spe­cific weak­nesses it has.
  • Secu­rity Label — This is part of MAC (Manda­tory Access Con­trol) and is a con­cept where infor­ma­tion about an object includ­ing clas­si­fi­ca­tion level and need-to-know is main­tained.  A subject’s clas­si­fi­ca­tion and need-to-know are com­pared against the object’s before grant­ing access.
  • Capa­bil­ity Tables are the rows of an Access Con­trol Matrix that are bound to the subjects.
  • Access Con­trol Lists are the columns of an Access Con­trol Matrix that are bound to the objects.
  • RADIUS, TEMPEST, TACACS, Diam­e­ter — I must under­stand the what/when/why/how of each and their differences.
  • Brush up on the dif­fer­ences between Mul­ti­task­ing, Mul­ti­pro­cess­ing, Mul­ti­thread­ing, and Mul­ti­pro­gram­ming.
  • Ref­er­ence Monitor
  • Secu­rity Kernal
  • Clark Wil­son Model
  • Trusted Com­put­ing Base
  • Biba Model
  • Bell-LaPadula Model
  • Com­mon Cri­te­ria — Mainly TOE, EPL and Pro­tec­tion Profiles

I plan on going back through this con­tent dur­ing this week and writ­ing at least a para­graph on each con­cept I missed in order to drive the points home.

As some may have noticed I have begun to post longer more infor­ma­tive posts.  This is the trend I want to con­tinue and build on.  I believe writ­ing longer posts not only pro­vides prac­tice at com­mu­ni­ca­tion through the writ­ten word, but are more infor­ma­tive and less likely to be quick emo­tional reac­tions to other blog posts or news sto­ries. As always, I implore any­one read­ing this to leave com­ments.  I may have been in the field for 5 years now, but see­ing as how I’m at least 35 years away from retire­ment I have at a min­i­mum, 35 years more worth of learn­ing to do!

As Joseph Addi­son said, “The utmost extent of man’s knowl­edge, is to know that he knows nothing.”

Leave a Reply