20 things you have to know once you got CISSP

Once got your CISSP—or you’re gearing up to tackle cybersecurity like a pro. Either way, it’s time to get technical. Below are 20 rules, concepts, and standards, loaded with techniques, examples, and visuals to help you secure systems and teach others. Let’s dive in with some eye candy to make it stick!

1. Use Strong Cryptographic Standards

• Rule: Mandate 2048-bit RSA keys (or 256-bit ECC), SHA-256+ hashing, and AES-256 encryption. Ban SHA-1, MD5, and 3DES.
• Technique: Check certs with openssl x509 -in cert.pem -text -noout | grep "Public-Key"—if it’s <2048 bits, regenerate it.
• Example: A site using SHA-1 risks forged certs. Replace with openssl genrsa -out key.pem 2048 and sign with SHA-256.

=== RSA 2048-bit Key Components ===

1. Prime p (First Prime Number):
Length: 128 bytes (1024 bits)
Value (hex): b7f9a2c3d4e5f6a789b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e........

2. Implement Least Privilege

• Concept: Restrict access to the minimum needed for each role.
• Technique: Use chmod 600 on Linux files or icacls "file" /grant user:r on Windows.
• Example: A junior admin shouldn’t have root—run sudo -l to audit.

Apply chmod 600:

bash

chmod 600 private_key.pem

Verify the Change:

bash

ls -l private_key.pem

Output now:

-rw-------  1 user user  1679 Mar 28 12:00 private_key.pem

3. Enforce Multi-Factor Authentication (MFA)

• Standard: NIST 800-63B—require MFA for privileged access.
• Technique: Set up Duo with PAM on Linux (pam_duo.conf).
• Example: Enable MFA on AWS IAM—logins drop from 90% password-only to near-zero breaches.

4. Patch Systems Regularly

• Rule: Patch critical vulnerabilities within 7 days, others within 30.
• Technique: Automate with yum update -y --security (RHEL) or wsusoffline (Windows).
• Example: WannaCry hit unpatched Windows (MS17-010)—scan with nmap -p445 --script smb-vuln-ms17-010.

5. Segment Your Network

• Concept: Use VLANs or subnets to isolate traffic.
• Technique: Configure VLAN 10 for guests with switchport access vlan 10 (Cisco).
• Example: A breached IoT camera on 192.168.1.0/24 shouldn’t touch servers on 10.0.0.0/16.

6. Rely Solely on Firewalls

• Rule: Layer defenses beyond firewalls—add IDS/IPS and endpoint security.
• Technique: Deploy Snort (snort -c snort.conf) alongside iptables.
• Example: Firewall blocked port 80, but phishing dropped malware—use CrowdStrike for endpoints.

7. Adopt Zero Trust Architecture

• Concept: Verify every request, no implicit trust.
• Technique: Use nginx with client cert auth (ssl_client_certificate) for API access.
• Example: Google’s BeyondCorp—replace VPN with per-session checks via Okta.

8. Encrypt Data at Rest and in Transit

• Standard: NIST 800-111—encrypt everything.
• Technique: Use gpg -c file.txt for files, enforce TLS 1.3 with SSLEnabledProtocols TLSv1.3 in Apache.
• Example: An unencrypted S3 bucket leaked 1M records—enable AES-256 with aws s3api put-bucket-encryption.

9. Conduct Regular Risk Assessments

• Rule: Follow ISO 27001—assess risks yearly.
• Technique: Use OpenVAS (openvas-start) to scan for vulnerabilities.
• Example: A legacy server on 10.1.1.5 had SSHv1—found via nmap -sV.

10. Train Employees on Security Awareness

• Concept: Educate to stop social engineering.
• Technique: Simulate phishing with gophish—track click rates.
• Example: A fake “IT reset” email fooled 30%—post-training, it dropped to 5%.

11. Monitor Logs Continuously

• Standard: NIST 800-92—centralize and analyze logs.
• Technique: Pipe logs to ELK with filebeat setup -e.
• Example: Failed logins spiked (grep "Failed" /var/log/auth.log)—caught a brute-force attack.

12. Harden Systems by Default

• Rule: Lock down configs (CIS Benchmarks).
• Technique: Disable SMBv1 with Set-SmbServerConfiguration -EnableSMB1Protocol $false (PowerShell).
• Example: Open port 23 (telnet) found via netstat -tuln—shut it with systemctl disable telnet.

13. Backup Critical Data

• Standard: 3-2-1—3 copies, 2 media, 1 offsite.
• Technique: Use rsync -av /data /backup and aws s3 sync /backup s3://mybucket.
• Example: Ransomware encrypted /data—restored from offsite S3 in 2 hours.

14. Use Secure Development Practices

• Concept: Code securely (OWASP Top 10).
• Technique: Sanitize inputs with htmlspecialchars() in PHP to stop XSS.
• Example: SQL injection (' OR 1=1) hit a login—fixed with $stmt->bind_param.

15. Limit Third-Party Risks

• Rule: Audit vendors—demand SOC 2 compliance.
• Technique: Scan vendor IPs with nmap -A for open ports.
• Example: A vendor’s FTP (port 21) leaked data—pushed them to SFTP.

16. Prepare an Incident Response Plan

• Standard: NIST 800-61—define IR steps.
• Technique: Script containment (iptables -A INPUT -s <attacker_ip> -j DROP).
• Example: DDoS hit—used tcpdump -i eth0 to ID traffic, blocked it in 10 minutes.

17. Avoid Single Points of Failure

• Concept: Build redundancy into systems.
• Technique: Set up HAProxy (frontend http bind *:80) for load balancing.
• Example: One DB server crashed—replica (mysql> SHOW SLAVE STATUS) saved the day.

18. Comply with Relevant Regulations

• Rule: Map to GDPR, HIPAA, etc.
• Technique: Audit data with find / -name "*.xlsx" -perm -o=r for exposed files.
• Example: GDPR fine avoided—encrypted PII with ansible-vault encrypt.

19. Secure Cloud Environments

• Standard: CSA CCM—lock down cloud configs.
• Technique: Enable MFA on AWS (aws iam enable-mfa-device).
• Example: Open EC2 port 22 found with aws ec2 describe-security-groups—restricted to VPN.

20. Stay Ahead of Emerging Threats

• Concept: Track AI attacks, quantum risks.
• Technique: Test post-quantum crypto with openssl s_client -ciphersuites TLS_AES_256_GCM_SHA384.
• Example: AI phishing bypassed filters—trained ML model with tensorflow on new patterns.