├── LICENSE
└── readme.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 theRealBenForce
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
  1 | # Domain 1: Security and Risk Management
  2 | 
  3 | ## Risk Management
  4 | 
  5 | SLE = AV * EF
  6 |  - Single Loss Expectancy (SLE) - Negative impact for one-time occurrence
  7 |  - Asset Value (AV)
  8 |  - Exposure Factor (EF) - If a flood will damage 40% of your data center, EF is 40%
  9 | 
 10 | ARO
 11 |  - Annual Rate of Occurance
 12 | 
 13 | ALE = ARO * SLE
 14 |  - :beer: = :heart_eyes: (get it?)
 15 |   - Ale makes arousal
 16 |  - Annual Loss Expectancy = Rate of Occurrence - Single Loss Expectancy
 17 | 
 18 | ## Threat Modeling
 19 | 
 20 | STRIDE - Microsoft threat modeling tool
 21 | - **S** poofing
 22 | - **T** ampering
 23 | - **R** epudiation - attacker can deny participation
 24 | - **I** nformation disclosure
 25 | - **D** enial of service
 26 | - **E** levation of privilege
 27 | 
 28 | ## Control Types
 29 | PTA keeps the children safe!
 30 | * **P** hysical - Tangible. Locks, guards, alligator moats, etc.
 31 | * **T** echincal/Logical - Automated or electronic systems.
 32 | * **A** dministrative - Policy, signage.
 33 | 
 34 | ## Due Care vs Due Diligence
 35 | Imagine you have a pool. To protect children and animals from drowning in your pool, you exercise due care by building a fence around the pool. Regularly checking the fence for vulnerabilities and correcting them demonstrates due diligence.
 36 | 
 37 | * Due Care - A vendor engaging in a reasonable and expected manner for the circumstance
 38 | * Due Diligence - Demonstrates due care
 39 | 
 40 | # Domain 3: Security Engineering
 41 | ## Security Models
 42 | 
 43 | ### Brewer-Nash
 44 | Brewer-Nash is also known as "The Chinese Wall" and protects against conflict of interest. Remember Chinese "brew" tea. :tea:
 45 | 
 46 | ### Simple Security vs \*-Security
 47 | 
 48 | You must read before you can write. So reading is "simpler" than writing. This makes reading the simple security model and writing the \*-security model.
 49 | 
 50 | ### Integrity vs Confidentiality models
 51 | * Integrity Models have the letter "I" in them.
 52 | * Bell LaPadula and Biba -  Since Biba has an "I" I it, it is integrity. The two are opposite so Bell is confidentiality. For some something confidential you don't want a subject reading up above their security. So Bell has a no read up property. With this we can extract read and write for both Biba and Bell
 53 | 
 54 | |Bell       |Biba           |
 55 | |-----------|---------------|
 56 | |No Read Up |Read Up        |
 57 | |Write Down |No Write Down  |
 58 | 
 59 | 
 60 | # Domain 4: Communications & Network Security
 61 | ## Factorization of Primes vs Discreet Logs
 62 | Found this somewhere else but it made me laugh and was easy to remember:
 63 | Mr. Diffie-Hellman and Dr. ElGamal are phantom poopers! They leave discreet logs!
 64 | 
 65 | ## DES Modes of Operation
 66 | Most important thing here is remember strength from weakest to strongest. No clear mnemonic to do this. My approach:
 67 | * Remember the first and the last.
 68 | * The center 3 are alphabetical by name and/or abbreviation.
 69 | 
 70 | 
 71 | 1. ECB - Electronic Code Block (also the only one that doesn't support an initialization vector)
 72 | 2. CBC - Cipher Block Chaining
 73 | 3. CFB - Cipher Feedback
 74 | 4. OFB - Output Feedback Mode
 75 | 5. CTR - Counter
 76 | 
 77 | 
 78 | ## Cloud Computing Operating Model
 79 | IaaS, PaaS, SaaS - [Remember Pizza as a Service](https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e)
 80 | 
 81 | # Domain 7: Security operations
 82 | ## Fire Classes and Extinguisher Types
 83 | |Type |Mneumonic    |Description                  |
 84 | |-----|-------------|-----------------------------|
 85 | |A    |Ash          |Ordinary solid combustibles  |
 86 | |B    |Boil, Bubble |Flammable liquids and gasses |
 87 | |C    |Circuits     |Electrical equipment         |
 88 | |D    |Dent         |Combustible metals           |
 89 | |K    |Kitchen      |Oils and fats                |
 90 | 
 91 | # Domain 8: Software Development Security
 92 | ## Ring computing model
 93 | 
 94 | Remember "Zero KODU"
 95 | 
 96 | |Layer  |Purpose              |
 97 | |---    |---                  |
 98 | |0   	  |**K**ernal           |
 99 | |1   	  |**O**perating System |
100 | |2   	  |**D**rivers          |
101 | |3   	  |**U**ser             |
102 | 


--------------------------------------------------------------------------------