2024
CISSP Workbook
Contents
Domain 1 ..................................................................................................................................................................... 24
1.1
Understand, adhere to, and promote professional ethics ........................................................................ 25
What are ethics based on? ..................................................................................................................................25
How can an organization have consistent ethics?...............................................................................................25
(ISC)2 Code of Ethics Preamble ............................................................................................................................25
(ISC)2 Code of Ethics Canons................................................................................................................................25
1.2
Understand and apply security concepts .................................................................................................. 26
Goals of Information Security..............................................................................................................................26
Confidentiality .....................................................................................................................................................26
Integrity ...............................................................................................................................................................26
Availability ...........................................................................................................................................................26
Authenticity .........................................................................................................................................................26
Non-repudiation ..................................................................................................................................................26
5 Pillars of Information Security ..........................................................................................................................26
1.3
Evaluate, apply and sustain security governance principles...................................................................... 27
How do we align the security function to business strategy, goals, mission, and objectives? ...........................27
Alignment of security function to business strategy, goals, mission, and objectives .........................................27
For security to be effective, it is imperative that? ..............................................................................................27
Accountability vs. Responsibility .........................................................................................................................27
Security roles & responsibilities ..........................................................................................................................28
Who is ultimately accountable for security? .......................................................................................................28
Who is specifically responsible for security? .......................................................................................................28
Due care and due diligence .................................................................................................................................28
1.4
Understand legal, regulatory and compliance issues that pertain to information security in a holistic
context 29
Cyber crimes and data breaches .........................................................................................................................29
Licensing and intellectual property requirements ..............................................................................................29
Import/export controls........................................................................................................................................30
ITAR & EAR ..........................................................................................................................................................30
Wassenaar Arrangement.....................................................................................................................................30
Trans-border data flow........................................................................................................................................30
Data residency (data localization) .......................................................................................................................30
Privacy .................................................................................................................................................................30
Sensitive data ......................................................................................................................................................30
Personal Data ......................................................................................................................................................31
Privacy roles & responsibilities ............................................................................................................................31
Privacy requirements ..........................................................................................................................................31
OECD Privacy Guidelines .....................................................................................................................................32
Organizations cannot achieve privacy without? .................................................................................................32
2
© Destination Certification Inc.
Privacy Impact Assessment (PIA).........................................................................................................................32
Typical elements of a PIA ....................................................................................................................................32
Compliance ..........................................................................................................................................................33
Contractual, legal, industry standards, and regulatory requirements ................................................................33
1.5
Understand requirements for investigation types .................................................................................... 34
1.6
Develop, document, and implement security policy, standards, procedures, and guidelines .................. 35
Policies are ultimately? .......................................................................................................................................35
Perfect Model for Security ..................................................................................................................................35
Policies, Standards, Procedures, Baselines & Guidelines ....................................................................................36
1.7
Identify, analyze, assess, prioritize and implement Business Continuity (BC) requirements .................... 37
1.8
Contribute to and enforce personnel security policies and procedures ................................................... 38
Candidate screening and hiring ...........................................................................................................................38
Employment agreements and policies ................................................................................................................38
Personnel security controls .................................................................................................................................38
Onboarding and termination processes ..............................................................................................................39
Vendor, consultant, and contractor agreements and controls ...........................................................................39
Reasonable expectation of privacy......................................................................................................................39
Privacy policy requirements ................................................................................................................................39
1.9
Understand and apply risk management concepts ................................................................................... 40
Risk ......................................................................................................................................................................40
Risk Management Process...................................................................................................................................40
Asset valuation ....................................................................................................................................................40
Risk Analysis ........................................................................................................................................................41
Risk analysis key factors ......................................................................................................................................41
Threats & Vulnerabilities .....................................................................................................................................41
Identify threats & vulnerabilities .........................................................................................................................42
Qualitative & quantitative analysis .....................................................................................................................42
Quantitative risk calculation (ALE, SLE, Asset value, Exposure factor & ARO) ...................................................43
Risk response / treatment ...................................................................................................................................44
Cybersecurity Insurance ......................................................................................................................................44
Types of controls .................................................................................................................................................44
Countermeasure selection and implementation ................................................................................................45
Control types .......................................................................................................................................................45
Functional & Assurance .......................................................................................................................................45
Risk Management Terms .....................................................................................................................................46
How much security is enough?............................................................................................................................46
Selecting controls ................................................................................................................................................46
Continuous improvement ...................................................................................................................................47
Risk management supply chain ...........................................................................................................................47
Risk Frameworks .................................................................................................................................................47
© Destination Certification Inc.
3
NIST 800-37 – Risk Management Framework (RMF) Steps .................................................................................47
1.10
Understand and apply threat modeling concepts and methodologies ..................................................... 48
Threat modeling ..................................................................................................................................................48
STRIDE .................................................................................................................................................................48
PASTA ..................................................................................................................................................................49
DREAD .................................................................................................................................................................49
Social Engineering ...............................................................................................................................................50
1.11
Apply Supply Chain Risk Management (SCRM) concepts .......................................................................... 51
What can companies acquire? ............................................................................................................................51
Risks associated with hardware, software, and service ......................................................................................51
Minimum security requirements.........................................................................................................................51
Service Level Requirements (SLR) .......................................................................................................................51
Service Level Agreement (SLA) ............................................................................................................................51
Service Level Report ............................................................................................................................................51
Third-party assessment and monitoring .............................................................................................................51
Risks associated with the acquisition of products and services ..........................................................................52
Risk mitigations ...................................................................................................................................................52
1.12
Establish and maintain a security awareness, education, and training program ...................................... 53
Who is responsible for security? .........................................................................................................................53
Awareness, training & education ........................................................................................................................53
Methods and techniques to present awareness and training .............................................................................53
Prioritization of topics .........................................................................................................................................53
Periodic content reviews .....................................................................................................................................53
Program effectiveness evaluation .......................................................................................................................53
Domain 2 ..................................................................................................................................................................... 54
2.1 Identify and classify information and assets ..................................................................................................... 55
Data Classification ...............................................................................................................................................55
Information classification benefits ......................................................................................................................55
Who determines classification? ..........................................................................................................................55
Classification process ..........................................................................................................................................55
Classification vs. Categorization ..........................................................................................................................56
Classification examples .......................................................................................................................................56
Labeling & Marking .............................................................................................................................................56
Labeling methods ................................................................................................................................................56
2.2 Establish information and asset handling requirements .................................................................................. 57
Handling requirements........................................................................................................................................57
Media handling....................................................................................................................................................57
Media storage .....................................................................................................................................................57
Media retention & destruction ...........................................................................................................................57
2.3 Provision information and assets securely ....................................................................................................... 58
4
© Destination Certification Inc.
Who is the data owner? ......................................................................................................................................58
Data classification policy .....................................................................................................................................58
Information classification policy considerations .................................................................................................58
2.4 Manage data lifecycle ....................................................................................................................................... 59
Data roles ............................................................................................................................................................59
Data life cycle ......................................................................................................................................................59
What is Data Remanence? ..................................................................................................................................60
Categories of sanitization ....................................................................................................................................60
Data deletion methods ........................................................................................................................................61
Object Reuse .......................................................................................................................................................62
Solid State Drives data destruction .....................................................................................................................62
Encryption ...........................................................................................................................................................62
2.5 Ensure appropriate asset retention .................................................................................................................. 63
How do we keep data for a long time? ...............................................................................................................63
Data archiving......................................................................................................................................................63
Data archiving policies.........................................................................................................................................63
2.6 Determine data security controls and compliance requirements .................................................................... 64
Best way to ensure data receives appropriate protection based on classification? ...........................................64
Methods for protecting data ...............................................................................................................................64
What is data at Rest?...........................................................................................................................................64
Protecting data at Rest ........................................................................................................................................64
What is data in Transit? .......................................................................................................................................64
Protecting data in Transit ....................................................................................................................................64
End-to-end encryption ........................................................................................................................................65
Link encryption ....................................................................................................................................................65
Onion network.....................................................................................................................................................65
Information obfuscation methods ......................................................................................................................66
Data protection methods ....................................................................................................................................66
Domain 3 ..................................................................................................................................................................... 67
3.1
Research, implement and manage engineering processes using secure design principles.......... 69
Security’s involvement in building anything........................................................................................................69
How do we know what security controls to include at each phase? ..................................................................69
Secure design principles ......................................................................................................................................69
Keep it simple ......................................................................................................................................................69
Zero Trust ............................................................................................................................................................69
Principles for zero trust .......................................................................................................................................70
Trust but verify ....................................................................................................................................................70
Privacy by Design .................................................................................................................................................70
Shared responsibility ...........................................................................................................................................71
Cyber Kill / Attack Chain ......................................................................................................................................71
© Destination Certification Inc.
5
3.2
Understand the fundamental concepts of security models ...................................................................... 72
What is a model? .................................................................................................................................................72
Concept of security..............................................................................................................................................72
Enterprise Security Architecture .........................................................................................................................72
3 major Enterprise Security Architectures ..........................................................................................................73
Security Models ...................................................................................................................................................73
Bell-LaPadula .......................................................................................................................................................74
Biba......................................................................................................................................................................74
Lipner implementation ........................................................................................................................................75
Information flow..................................................................................................................................................75
Covert channels ...................................................................................................................................................75
Clark-Wilson: 3 Goals of Integrity ........................................................................................................................75
Clark-Wilson: 3 Rules ...........................................................................................................................................75
Brewer-Nash (The Chinese Wall) Model .............................................................................................................76
Graham–Denning Model .....................................................................................................................................76
Harrison–Ruzzo–Ullman Model ...........................................................................................................................76
Evaluation Criteria ...............................................................................................................................................76
Certification and accreditation ............................................................................................................................76
Orange Book / Trusted Computer System Evaluation Criteria (TCSEC) ...............................................................77
Orange Book Evaluation Criteria .........................................................................................................................77
Information Technology Security Evaluation Criteria (ITSEC)..............................................................................77
ITSEC (Assurance) E Levels...................................................................................................................................77
Common Criteria .................................................................................................................................................78
Common Criteria Process ....................................................................................................................................78
Common Criteria EAL levels ................................................................................................................................79
3.3
Select controls based upon systems security requirements ..................................................................... 80
What do security control frameworks provide?..................................................................................................80
Security control frameworks ...............................................................................................................................80
ISO 27001 ............................................................................................................................................................81
ISO 27000 family..................................................................................................................................................81
3.4
Understand security capabilities of information systems ......................................................................... 82
Subjects & objects ...............................................................................................................................................82
Reference Monitor Concept (RMC) .....................................................................................................................82
Security Kernel ....................................................................................................................................................83
3 principles of RMC & Security Kernel .................................................................................................................83
Trusted Computing Base (TCB) ............................................................................................................................83
Processors ...........................................................................................................................................................84
Processor States ..................................................................................................................................................84
Process Isolation ..................................................................................................................................................84
Secure Memory Management.............................................................................................................................84
6
© Destination Certification Inc.
Secure Memory Management vs. Memory Segmentation .................................................................................85
Types of Storage ..................................................................................................................................................85
Virtual Memory ...................................................................................................................................................85
Firmware .............................................................................................................................................................85
System Kernel ......................................................................................................................................................85
Privilege Levels ....................................................................................................................................................86
Ring protection model .........................................................................................................................................86
Middleware .........................................................................................................................................................86
Data Hiding ..........................................................................................................................................................87
Virtualization .......................................................................................................................................................87
Layering / Defense in depth ................................................................................................................................87
3.5
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements .......... 88
Single point of failure ..........................................................................................................................................88
Reduce risk of single point of failure ...................................................................................................................88
Bypass controls ....................................................................................................................................................88
Reduce risk of bypass controls ............................................................................................................................88
Race conditions ...................................................................................................................................................89
Reduce risk of race conditions ............................................................................................................................89
Emanations ..........................................................................................................................................................89
Reduce risk of emanations ..................................................................................................................................89
Vulnerabilities in systems ....................................................................................................................................89
Where is it hardest to detect vulnerabilities? .....................................................................................................89
To protect anything: ............................................................................................................................................90
Reduce risk in mobile-based systems ..................................................................................................................90
Reduce risk in client & server-based systems .....................................................................................................90
OWASP ................................................................................................................................................................90
Mobile devices ....................................................................................................................................................90
Reduce risk of mobile devices & mobile workers................................................................................................90
Mobile device policy ............................................................................................................................................91
Remote access security .......................................................................................................................................91
End-point security ...............................................................................................................................................91
Distributed systems .............................................................................................................................................91
Grid computing....................................................................................................................................................91
Data warehouse ..................................................................................................................................................92
Big Data ...............................................................................................................................................................92
Data mining / analytics ........................................................................................................................................92
Inference & aggregation ......................................................................................................................................92
Reduce risk of inference & aggregation ..............................................................................................................92
Industrial Control Systems (ICS) ..........................................................................................................................93
OT vs ICS ..............................................................................................................................................................93
© Destination Certification Inc.
7
Types of ICS .........................................................................................................................................................93
Reduce risk in Industrial Control Systems ...........................................................................................................93
Internet of Things (IoT) ........................................................................................................................................93
Reduce risk of Internet of Things (IoT) ................................................................................................................93
Cloud Computing .................................................................................................................................................94
Characteristics of cloud computing .....................................................................................................................94
Cloud service models...........................................................................................................................................94
Cloud deployment models ..................................................................................................................................95
Virtual Private Cloud (VPC) ..................................................................................................................................95
Cloud computing roles ........................................................................................................................................95
Accountability vs. Responsibility .........................................................................................................................96
Compute ..............................................................................................................................................................96
Virtual Machines .................................................................................................................................................96
Hypervisor Types (VM Monitors) ........................................................................................................................97
Cloud VM forensics..............................................................................................................................................97
Containers ...........................................................................................................................................................97
Dividing up services .............................................................................................................................................97
Microservices ......................................................................................................................................................98
Serverless ............................................................................................................................................................98
Common cloud protocols ....................................................................................................................................98
Edge Computing ..................................................................................................................................................98
Secure Access Service Edge (SASE) ......................................................................................................................98
Embedded devices ..............................................................................................................................................98
High Performance Computing .............................................................................................................................99
Cross Site Scripting (XSS) .....................................................................................................................................99
Types of XSS.......................................................................................................................................................100
Cross Site Request Forgery (CSRF) .....................................................................................................................100
XSS vs. CSRF .......................................................................................................................................................100
Structured Query Language (SQL) .....................................................................................................................101
SQL Injection......................................................................................................................................................101
SQL Commands .................................................................................................................................................101
SQL Injection code examples .............................................................................................................................101
Root of all evil is?...............................................................................................................................................102
Reduce risk of web-based vulnerabilities ..........................................................................................................102
3.6
Select and determine cryptographic solutions ........................................................................................ 103
History of Cryptography ....................................................................................................................................103
Cryptographic evolution ....................................................................................................................................103
5 Services of Cryptography ................................................................................................................................104
Data protection .................................................................................................................................................104
Everyday uses of cryptography .........................................................................................................................104
8
© Destination Certification Inc.
Cryptographic definitions ..................................................................................................................................105
Encryption / Decryption ....................................................................................................................................106
Key Space ..........................................................................................................................................................106
Methods of encryption ......................................................................................................................................106
Substitution .......................................................................................................................................................107
Transposition .....................................................................................................................................................107
Transposition: Rail Fence (zigzag) cipher...........................................................................................................107
Transposition ciphers ........................................................................................................................................107
Synchronous vs. asynchronous .........................................................................................................................108
Repeating patterns must be avoided ................................................................................................................108
Substitution patterns in monoalphabetic ciphers .............................................................................................109
Substitution - Polyalphabetic ciphers ................................................................................................................109
Substitution - Running key ciphers ....................................................................................................................109
Substitution - One-time pads ............................................................................................................................109
Stream vs. block ciphers ....................................................................................................................................110
Stream ciphers...................................................................................................................................................110
Block ciphers .....................................................................................................................................................110
Symmetric Block modes ....................................................................................................................................111
Which are faster: stream or block ciphers?.......................................................................................................111
Symmetric Cryptography ...................................................................................................................................112
Symmetric Algorithms .......................................................................................................................................112
DES / 3DES .........................................................................................................................................................113
Rijndael / Advanced Encryption Standard (AES) ...............................................................................................113
Out-of-band key distribution .............................................................................................................................113
Asymmetric Cryptography .................................................................................................................................114
Asymmetric Algorithms .....................................................................................................................................114
Hard math problems .........................................................................................................................................115
Diffie-Hellmann Key Exchange Protocol ............................................................................................................115
Hybrid Cryptography .........................................................................................................................................116
Steganography & null cipher .............................................................................................................................116
Message Integrity Controls ...............................................................................................................................117
Hashing functions ..............................................................................................................................................117
Hashing ..............................................................................................................................................................117
Key properties of hashing algorithms................................................................................................................117
Hashing Algorithms ...........................................................................................................................................117
Collisions............................................................................................................................................................117
Birthday Attack/Paradox ...................................................................................................................................118
Digital Signatures...............................................................................................................................................118
Services provided by Digital Signatures.............................................................................................................118
Creating Digital Signatures ................................................................................................................................118
© Destination Certification Inc.
9
Uses of Digital Signatures ..................................................................................................................................118
Code signing and validation...............................................................................................................................118
How can we be certain we have someone’s public key? ..................................................................................119
Digital Certificates .............................................................................................................................................119
Digital Certificate Standard ...............................................................................................................................120
Root of trust ......................................................................................................................................................120
Who issues certificates? ....................................................................................................................................120
Digital Certificate Replacement & Revocation ..................................................................................................121
Revocation methods..........................................................................................................................................121
Certificate lifecycle ............................................................................................................................................121
Certificate Pinning .............................................................................................................................................121
Public Key Infrastructure ...................................................................................................................................122
Components of PKI ............................................................................................................................................123
MIME headers ...................................................................................................................................................124
S/MIME..............................................................................................................................................................124
Key Management ..............................................................................................................................................124
Kerckhoffs’s Principle ........................................................................................................................................124
Key management activities ...............................................................................................................................124
Key Creation ......................................................................................................................................................124
Key Distribution .................................................................................................................................................124
Key Storage........................................................................................................................................................125
Key Rotation ......................................................................................................................................................125
Key Recovery .....................................................................................................................................................125
Key disposition / destruction.............................................................................................................................125
Putting it all together ........................................................................................................................................126
3.7
Understand methods of cryptanalytic attacks .................................................................................... 127
Cryptanalysis .....................................................................................................................................................127
Types of Cryptanalysis attacks...........................................................................................................................127
What is the primary goal of Cryptanalytic attacks?...........................................................................................127
Brute force attack ..............................................................................................................................................127
Cryptanalytic attacks .........................................................................................................................................127
Linear & differential ..........................................................................................................................................127
Factoring............................................................................................................................................................127
Man-in-the-middle attack .................................................................................................................................128
Replay attack .....................................................................................................................................................128
Pass the Hash ....................................................................................................................................................128
Temporary files attack .......................................................................................................................................128
Implementation attacks ....................................................................................................................................128
Fault injection ....................................................................................................................................................128
Side channel attacks ..........................................................................................................................................129
10
© Destination Certification Inc.
Dictionary attacks ..............................................................................................................................................129
Rainbow tables ..................................................................................................................................................129
Reducing the risk of rainbow tables ..................................................................................................................129
Birthday attack ..................................................................................................................................................129
Kerberos exploitation ........................................................................................................................................129
Social engineering .............................................................................................................................................129
3.8
Apply security principles to site and facility design ................................................................................. 130
Goals of Physical Security ..................................................................................................................................130
Primary goal of physical security? .....................................................................................................................130
Physical security controls ..................................................................................................................................130
Threats to physical security ...............................................................................................................................130
Example physical security threats .....................................................................................................................130
Layered defense model .....................................................................................................................................130
Physical security systems and methods ............................................................................................................131
How do we decide which physical security controls to put in place? ...............................................................131
Risk Management Process.................................................................................................................................131
Security Survey ..................................................................................................................................................131
Site Planning ......................................................................................................................................................131
Higher Value Areas ............................................................................................................................................131
3.9
Design site and facility security controls ............................................................................................ 132
Perimeter...........................................................................................................................................................132
Closed Circuit TV (CCTV) ....................................................................................................................................132
Passive infrared devices ....................................................................................................................................132
External Monitoring / Lighting ..........................................................................................................................132
Interior monitoring ............................................................................................................................................132
Doors .................................................................................................................................................................132
Interior Access Control (mantraps) ...................................................................................................................132
Locks ..................................................................................................................................................................133
What determines the security of a combination lock? .....................................................................................133
Card Access / Biometrics ...................................................................................................................................133
Windows............................................................................................................................................................133
Shock / glassbreak sensors ................................................................................................................................133
Walls ..................................................................................................................................................................134
Intrusion Detection Systems .............................................................................................................................134
Skimming ...........................................................................................................................................................134
Site Location ......................................................................................................................................................134
Infrastructure Support Systems ........................................................................................................................134
Power ................................................................................................................................................................134
Uninterruptible Powers Supply (UPS) ...............................................................................................................134
Generators.........................................................................................................................................................135
© Destination Certification Inc.
11
Power Outages & Degradation ..........................................................................................................................135
Heating Ventilation & Air Conditioning (HVAC).................................................................................................135
Positive Pressurization ......................................................................................................................................135
Ideal Temperature & Humidity..........................................................................................................................135
Fire.....................................................................................................................................................................136
Dealing with the Risk of Fire ..............................................................................................................................136
Fire Detectors ....................................................................................................................................................136
Best way to prevent or limit damage from a fire? ............................................................................................136
Water Based Fire Suppression Systems ............................................................................................................136
Gas Based Fire Suppression Systems .................................................................................................................137
Fire Extinguishers ..............................................................................................................................................137
3.10
Manage the information system lifecycle ............................................................................................... 138
Information System Lifecycle ............................................................................................................................138
Domain 4 ................................................................................................................................................................... 140
4.1
Assess and implement secure design principles in network architectures ............................................. 141
What is a network? ...........................................................................................................................................141
What is a protocol? ...........................................................................................................................................141
What is the OSI Model? .....................................................................................................................................141
Open System Interconnection (OSI) Model .......................................................................................................142
OSI Model names ..............................................................................................................................................143
Layer 1: Physical ................................................................................................................................................143
Transmission media ...........................................................................................................................................143
Optical fiber .......................................................................................................................................................143
Crosstalk ............................................................................................................................................................144
Crosstalk is least of an issue with which media? ...............................................................................................144
Criteria for selecting media ...............................................................................................................................144
Network Topologies ..........................................................................................................................................145
Planes ................................................................................................................................................................146
Transmission Methods ......................................................................................................................................146
Dealing with collisions .......................................................................................................................................148
Layer 1 Devices ..................................................................................................................................................149
Layer 2: Data Link ..............................................................................................................................................149
Physical addressing............................................................................................................................................150
Circuit Switched Network ..................................................................................................................................150
Transmission of digital data over analog connections ......................................................................................150
Packet Switched Network .................................................................................................................................150
Authentication Protocols...................................................................................................................................151
Protected Extensible Authentication Protocol (PEAP) ......................................................................................151
Common types of EAP .......................................................................................................................................151
Layer 2 Devices ..................................................................................................................................................152
12
© Destination Certification Inc.
Layer 2 Protocols ...............................................................................................................................................152
Layer 3: Network ...............................................................................................................................................153
Internet Protocol (IP) .........................................................................................................................................153
Logical Addressing .............................................................................................................................................153
LAN technologies ...............................................................................................................................................153
Internet protocol v4 ..........................................................................................................................................154
Internet protocol v6 ..........................................................................................................................................154
IPv4 vs. IPv6 ......................................................................................................................................................154
Private IPv4 addresses .......................................................................................................................................155
Network Classes (subnetting) ............................................................................................................................155
Layer 3 Protocols ...............................................................................................................................................155
Layer 3 Devices ..................................................................................................................................................155
Layer 4: Transport .............................................................................................................................................156
TCP & UDP .........................................................................................................................................................156
TCP vs. UDP headers..........................................................................................................................................156
TCP 3-Way Handshake.......................................................................................................................................157
Ports ..................................................................................................................................................................157
Common Ports ...................................................................................................................................................157
Layer 4 Protocols ...............................................................................................................................................157
Layer 5: Session .................................................................................................................................................158
Layer 5 Protocols ...............................................................................................................................................158
Layer 6: Presentation ........................................................................................................................................158
Layer 7: Application ...........................................................................................................................................159
Layer 7: Protocols ..............................................................................................................................................159
Secure Shell (SSH) ..............................................................................................................................................159
Layer 7 Devices ..................................................................................................................................................160
Convergence ......................................................................................................................................................160
Converged protocols .........................................................................................................................................160
Voice ..................................................................................................................................................................160
Vishing ...............................................................................................................................................................160
Network Attack Phases .....................................................................................................................................161
Network attacks ................................................................................................................................................161
Passively Eavesdropping....................................................................................................................................161
Actively Scanning Ports .....................................................................................................................................161
SYN Scanning .....................................................................................................................................................161
SYN Flooding......................................................................................................................................................162
IP Based Attacks ................................................................................................................................................162
DoS & DDoS .......................................................................................................................................................163
Man-in-the-Middle ............................................................................................................................................163
Spoofing.............................................................................................................................................................163
© Destination Certification Inc.
13
Network Exploit Tools .......................................................................................................................................163
ARP Poisoning ....................................................................................................................................................164
Wireless .............................................................................................................................................................164
Wireless Radio Spectrum ..................................................................................................................................164
Wireless Technologies .......................................................................................................................................165
Wireless Network Architecture .........................................................................................................................165
Radio Frequency Management .........................................................................................................................165
802.11 wireless ..................................................................................................................................................166
Wireless LAN Security Mechanisms ..................................................................................................................166
802.11 Security Solutions ..................................................................................................................................166
Wireless Authentication ....................................................................................................................................166
Wireless Encryption ...........................................................................................................................................166
Wireless Integrity Protection.............................................................................................................................166
TKIP....................................................................................................................................................................167
5G ......................................................................................................................................................................167
Common Tools ..................................................................................................................................................167
Virtual Local Area Network (VLAN) ...................................................................................................................168
Software-Defined Networks ..............................................................................................................................168
SDN architecture ...............................................................................................................................................168
Third-party connectivity ....................................................................................................................................169
Wide Area Networks (WAN) ..............................................................................................................................169
Wide Area Network (WAN) Technology ............................................................................................................169
Monitoring and management ...........................................................................................................................170
4.2
Secure network components ................................................................................................................... 171
Defense in Depth ...............................................................................................................................................171
Partitioning ........................................................................................................................................................171
Network Perimeter ............................................................................................................................................171
Logical segmentation.........................................................................................................................................171
Network Segmentation .....................................................................................................................................172
Bastion Host ......................................................................................................................................................172
Network Segment / Subdomain Isolation .........................................................................................................173
Proxy ..................................................................................................................................................................173
NAT & PAT .........................................................................................................................................................173
Private Addresses ..............................................................................................................................................173
What is a firewall? .............................................................................................................................................174
Firewall Technologies ........................................................................................................................................174
Standard Firewall Architectures ........................................................................................................................175
Data inspection..................................................................................................................................................177
Data Inspection Applications .............................................................................................................................177
IDS & IPS ............................................................................................................................................................177
14
© Destination Certification Inc.
Network based vs. Host based ..........................................................................................................................177
IDS/IPS Network Architecture ...........................................................................................................................178
Mirror / Span / Promiscuous Port .....................................................................................................................178
IDS/IPS Detection Methods ...............................................................................................................................179
Ingress & egress monitoring ..............................................................................................................................179
Whitelisting & Blacklisting .................................................................................................................................179
Sandbox .............................................................................................................................................................180
False Positives & False Negatives ......................................................................................................................180
Honeypots / Honeynets.....................................................................................................................................180
Enticement & Entrapment ................................................................................................................................180
4.3
Implement secure communication channels according to design .......................................................... 181
Remote Access ..................................................................................................................................................181
Tunneling ...........................................................................................................................................................181
Generic Routing Encapsulation (GRE) ...............................................................................................................181
Split tunneling ...................................................................................................................................................181
Virtual Private Network (VPN) ...........................................................................................................................182
Tunnelling & VPN Protocols ..............................................................................................................................182
IPSec ..................................................................................................................................................................182
IPSec modes ......................................................................................................................................................183
Internet Key Exchange (IKE) ..............................................................................................................................183
SSL .....................................................................................................................................................................184
Unencrypted SSL ...............................................................................................................................................184
Remote Authentication .....................................................................................................................................184
Remote Access / Management Services ...........................................................................................................184
Domain 5 ................................................................................................................................................................... 186
5.1
Control physical and logical access to assets ........................................................................................... 187
Access control....................................................................................................................................................187
Access control principles ...................................................................................................................................187
Access control applicability ...............................................................................................................................187
Access control system .......................................................................................................................................187
Logical access modes .........................................................................................................................................188
Administration approaches ...............................................................................................................................188
5.2
Design identification and authentication strategy (e.g., people, devices, and services) ......................... 189
Access control services ......................................................................................................................................189
Identification .....................................................................................................................................................189
User identification guidelines ............................................................................................................................189
Authentication types (factors)...........................................................................................................................189
Authentication by Knowledge ...........................................................................................................................190
Password vault ..................................................................................................................................................190
Authentication by Ownership ...........................................................................................................................190
© Destination Certification Inc.
15
One-time Passwords..........................................................................................................................................190
Smart / Memory cards ......................................................................................................................................191
Smart Card .........................................................................................................................................................191
Authentication by characteristics (biometric types) .........................................................................................191
Biometric device considerations .......................................................................................................................191
Biometric device accuracy / Types of errors .....................................................................................................191
Cross Over Error Rate (CER)...............................................................................................................................191
Biometric Devices ..............................................................................................................................................192
Templates ..........................................................................................................................................................192
Factors of authentication ..................................................................................................................................193
Kerberos ............................................................................................................................................................194
Typical Kerberos issues......................................................................................................................................194
SESAME .............................................................................................................................................................194
Authenticator Assurance Levels (AAL)...............................................................................................................195
Session management ........................................................................................................................................195
Session hijacking................................................................................................................................................195
How do you prevent session hijacking? ............................................................................................................195
Session termination ...........................................................................................................................................195
Registration and proofing of identity ................................................................................................................195
Federated Identity Management (FIM) .............................................................................................................196
Federated access standards ..............................................................................................................................196
SAML .................................................................................................................................................................196
SAML components ............................................................................................................................................197
Accountability....................................................................................................................................................197
5.3
Federated identity with a third-party service .......................................................................................... 198
Cloud-based authentication or identity management ......................................................................................198
Types of identities / accounts............................................................................................................................198
IdaaS Capabilities...............................................................................................................................................198
5.4
Implement and manage authorization mechanisms ............................................................................... 199
1. Discretionary Access Control (DAC) ...............................................................................................................199
Role-Based Access Control (RBAC) ....................................................................................................................200
Types of RBAC....................................................................................................................................................200
Groups and Roles ..............................................................................................................................................200
Rule-based access control .................................................................................................................................200
Attribute / Context based access control ..........................................................................................................201
eXtensible Access Control Markup Language (XACML) .....................................................................................201
2. Mandatory Access Control (MAC) .................................................................................................................201
3. Non-Discretionary Access Control .................................................................................................................201
Access control summary....................................................................................................................................202
5.5
16
Manage the identity and access provisioning lifecycle............................................................................ 203
© Destination Certification Inc.
Provisioning lifecycle .........................................................................................................................................203
User access review ............................................................................................................................................203
How often should access reviews be performed? ............................................................................................203
Which type of accounts should be reviewed most often? ................................................................................203
5.6
Implement authentication systems ......................................................................................................... 204
Domain 6 ................................................................................................................................................................... 206
6.1
Design and validate assessment, test, and audit strategies .................................................................... 207
Purpose of Security Assessment and Testing? ..................................................................................................207
Validation & verification ....................................................................................................................................207
Validation ..........................................................................................................................................................207
Verification ........................................................................................................................................................207
Effort to invest in testing? .................................................................................................................................207
Testing Strategies ..............................................................................................................................................207
Role of Security Professional .............................................................................................................................208
6.2
Conduct security control testing.............................................................................................................. 209
Examples of testing performed .........................................................................................................................209
When should security become involved in testing? ..........................................................................................209
Software Testing Stages ....................................................................................................................................209
Testing Techniques ............................................................................................................................................210
Methods / Tools ................................................................................................................................................210
Runtime .............................................................................................................................................................210
Access to Code ..................................................................................................................................................210
Types of fuzzing .................................................................................................................................................211
Application security testing ...............................................................................................................................211
Test types ..........................................................................................................................................................212
Equivalence partitioning & boundary value analysis.........................................................................................212
More test types .................................................................................................................................................213
Testing examples ...............................................................................................................................................213
Test coverage analysis .......................................................................................................................................214
Vulnerability analysis .........................................................................................................................................214
Purpose of vulnerability assessment .................................................................................................................214
Vulnerability Assessment vs. Penetration Test .................................................................................................214
Typical Process ..................................................................................................................................................215
Red, Blue and Purple Teams ..............................................................................................................................215
Testing Techniques ............................................................................................................................................216
Perspective ........................................................................................................................................................216
Approach ...........................................................................................................................................................216
Knowledge .........................................................................................................................................................216
Automated vulnerability scanners ....................................................................................................................217
Additional testing techniques............................................................................................................................217
© Destination Certification Inc.
17
Banner grabbing & Fingerprinting .....................................................................................................................217
Interpreting & understanding results ................................................................................................................217
False positives & false negatives .......................................................................................................................217
Security Content Automation Protocol (SCAP)..................................................................................................218
Breach attack simulation ...................................................................................................................................218
Compliance checks ............................................................................................................................................218
Log reviews / analysis ........................................................................................................................................219
Logging overview ...............................................................................................................................................219
Log data generation ..........................................................................................................................................219
Limiting log sizes................................................................................................................................................220
Log event time ...................................................................................................................................................220
Operational Testing - Synthetic Transactions & RUM ......................................................................................220
Regression testing .............................................................................................................................................220
Reporting testing results ...................................................................................................................................220
6.3
Collect security process data (e.g., technical and administrative) .......................................................... 221
SMART Metrics ..................................................................................................................................................221
Key performance and risk indicators .................................................................................................................221
How do you decide what to focus metrics on? .................................................................................................221
Example areas for metrics .................................................................................................................................221
6.4
Analyze test output and generate report ................................................................................................ 222
Error handling ....................................................................................................................................................222
Remediation ......................................................................................................................................................222
Ethical disclosure ...............................................................................................................................................222
6.5
Conduct or facilitate security audits ........................................................................................................ 223
Audit & Assessment ..........................................................................................................................................223
Audit approaches ..............................................................................................................................................223
SAS70 > SSAE16 > SSAE18 .................................................................................................................................223
ISAE 3402 / SSAE18 Third-party Audit reports .................................................................................................223
Audit Roles & Responsibilities ...........................................................................................................................224
Domain 7 ................................................................................................................................................................... 226
7.1
Understand and comply with investigations ........................................................................................... 227
Securing the scene ............................................................................................................................................227
Forensic Investigation Process ..........................................................................................................................227
Evidence collection and handling ......................................................................................................................227
Sources of information / evidence ....................................................................................................................227
Locard’s Exchange Principle ..............................................................................................................................227
Types of evidence ..............................................................................................................................................228
Digital / Computer forensics..............................................................................................................................229
Live evidence .....................................................................................................................................................229
Forensic Copies..................................................................................................................................................229
18
© Destination Certification Inc.
Investigative Techniques ...................................................................................................................................229
Why is it harder to do forensic analysis of mobile devices?..............................................................................229
Chain of Custody ...............................................................................................................................................229
Five Rules of Evidence .......................................................................................................................................230
Digital forensics tools, tactics, and procedures .................................................................................................230
Reporting and documentation ..........................................................................................................................230
Types of investigations ......................................................................................................................................231
7.2
Conduct logging and monitoring activities .............................................................................................. 232
Logging & monitoring ........................................................................................................................................232
Security Information and Event Management (SIEM) .......................................................................................232
SIEM Capabilities ...............................................................................................................................................232
Example sources of event data .........................................................................................................................232
Continuous monitoring .....................................................................................................................................233
7.3
Perform Configuration Management (CM) ............................................................................................. 234
Asset Inventory..................................................................................................................................................234
Asset Management ...........................................................................................................................................234
Configuration management ..............................................................................................................................234
7.4
Apply foundational security operations concepts ................................................................................... 235
Need to know / Least Privileges ........................................................................................................................235
Separation of duties and responsibilities ..........................................................................................................235
Privileged account management .......................................................................................................................235
Job rotation .......................................................................................................................................................235
Service Level Agreements (SLA) ........................................................................................................................235
7.5
Apply resource protection ....................................................................................................................... 236
Protecting media ...............................................................................................................................................236
Media ................................................................................................................................................................236
Media management ..........................................................................................................................................236
Hardware and software asset management .....................................................................................................236
7.6
Conduct incident management ............................................................................................................... 237
Incident Management .......................................................................................................................................237
Goals of Incident Response ...............................................................................................................................237
Events and Incidents .........................................................................................................................................237
Detection examples ...........................................................................................................................................237
Examples of incidents ........................................................................................................................................237
Incident Response .............................................................................................................................................238
7.7
Operate and maintain detective and preventative measures ................................................................. 239
Malware ............................................................................................................................................................239
Types of malware ..............................................................................................................................................239
Zero Day ............................................................................................................................................................240
Anti-malware .....................................................................................................................................................240
© Destination Certification Inc.
19
Updating ............................................................................................................................................................240
Machine Learning (ML) and Artificial Intelligence (AI) based tools ...................................................................240
7.8
Implement and support patch and vulnerability management ............................................................... 241
Patch management ...........................................................................................................................................241
Determining patch levels...................................................................................................................................241
Deploying patches .............................................................................................................................................241
7.9
Understand and participate in change management processes ............................................................. 242
Change management ........................................................................................................................................242
Change Management Process ...........................................................................................................................242
7.10
Implement recovery strategies ................................................................................................................ 243
Failure modes ....................................................................................................................................................243
Backup storage strategies .................................................................................................................................243
Archive bit .........................................................................................................................................................243
Incremental vs. Differential ...............................................................................................................................243
Backup strategy summary .................................................................................................................................244
Backup storage strategies .................................................................................................................................245
Spare parts ........................................................................................................................................................245
RAID ...................................................................................................................................................................246
RAID 0 – Striping ................................................................................................................................................246
RAID 1 – Mirroring .............................................................................................................................................246
RAID 10 – Mirroring & Striping ..........................................................................................................................246
RAID 5 – Parity Protection .................................................................................................................................246
RAID 6 – Double Parity Protection.....................................................................................................................247
RAID summary ...................................................................................................................................................247
Cyclic Redundancy Check (CRC).........................................................................................................................247
Clustering vs Redundancy .................................................................................................................................247
Recovery Site Strategies ....................................................................................................................................248
Geographically remote / geographic disparity ..................................................................................................248
Multiple Processing Sites...................................................................................................................................248
Internal vs. External Recovery Sites ..................................................................................................................249
Reciprocal Agreements .....................................................................................................................................249
Disaster Recovery Solutions Summary ..............................................................................................................249
System resilience, high availability, Quality of Service (QoS), and fault tolerance ...........................................249
7.11
Implement Disaster Recovery (DR) processes ......................................................................................... 250
A disaster is: ......................................................................................................................................................250
Focus of business continuity .............................................................................................................................250
BCM, BCP & DRP ................................................................................................................................................250
BCP / DRP Steps .................................................................................................................................................251
Three primary goals of BIA ................................................................................................................................251
The BIA Process .................................................................................................................................................252
20
© Destination Certification Inc.
MTD, RTO, RPO, WRT ........................................................................................................................................252
Declaring a Disaster ...........................................................................................................................................253
Response ...........................................................................................................................................................253
Personnel...........................................................................................................................................................253
Communications................................................................................................................................................253
Restoration Order..............................................................................................................................................253
How is the order determined for restoring systems? .......................................................................................253
Dependency charts ............................................................................................................................................254
What systems / operations should be moved FIRST to DR site? .......................................................................254
Once primary site is fixed, what systems / operations should be moved back FIRST? .....................................254
7.12
Test Disaster Recovery Plans (DRP) ......................................................................................................... 255
When should a full-interruption test be performed?........................................................................................255
7.13
Participate in Business Continuity (BC) planning and exercises .............................................................. 256
Goals of BCM .....................................................................................................................................................256
Focus of BCM .....................................................................................................................................................256
7.14
Implement and manage physical security ............................................................................................... 257
7.15
Address personnel safety and security concerns .................................................................................... 258
Domain 8 ................................................................................................................................................................... 260
8.1
Understand and integrate security in the Software Development Life Cycle (SDLC) .............................. 261
Security’s involvement in development ............................................................................................................261
SDLC & SLC.........................................................................................................................................................261
Development & maintenance lifecycle .............................................................................................................262
Development methodologies ............................................................................................................................262
Waterfall vs. Agile..............................................................................................................................................262
Agile Scrum Master ...........................................................................................................................................263
Integrated Product Team ..................................................................................................................................263
DevOps Security ................................................................................................................................................263
Combining Development Methodologies .........................................................................................................264
Maturity models ................................................................................................................................................264
Operation and maintenance .............................................................................................................................264
Change management (review) ..........................................................................................................................265
8.2
Identify and apply security controls in development environments ....................................................... 266
Programing Language Generations ...................................................................................................................266
Integrated Development Environment (IDE) .....................................................................................................266
Programming Language Translators ..................................................................................................................266
Continuous Integration, Delivery & Deployment ..............................................................................................266
SOAR (Security Orchestration, Automation, and Response) .............................................................................267
Software Configuration Management (SCM) ....................................................................................................267
Secure Programming .........................................................................................................................................267
Polyinstantiation ...............................................................................................................................................267
© Destination Certification Inc.
21
Software / code obfuscation .............................................................................................................................268
Security of the Software Environments.............................................................................................................268
Databases ..........................................................................................................................................................269
Components of DBMS .......................................................................................................................................269
Relational Database...........................................................................................................................................269
Databases: Attributes & Tuples .........................................................................................................................269
Databases: Primary & Foreign Keys ...................................................................................................................270
Database Terms .................................................................................................................................................270
Concurrency & Locks .........................................................................................................................................271
Locks & Concurrency Controls ...........................................................................................................................271
8.3
Assess the effectiveness of software security ......................................................................................... 272
Assess the Effectiveness of Software Security ..................................................................................................272
8.4
Assess security impact of acquired software ........................................................................................... 273
Acquiring Software ............................................................................................................................................273
Software Assurance Phases for Acquisition ......................................................................................................273
8.5
Define and apply secure coding guidelines and standards ...................................................................... 274
Security Weaknesses and Vulnerabilities at the Source-Code Level .................................................................274
Buffer Overflow .................................................................................................................................................275
Buffer Overflow Prevention ..............................................................................................................................275
APIs ....................................................................................................................................................................276
Security of Application Programming Interfaces ...............................................................................................276
Secure coding practices .....................................................................................................................................276
Exam Strategy ....................................................................................................................................................... 277
22
© Destination Certification Inc.
Domain 1
Security and Risk Management
24
© Destination Certification Inc.
1.1
Understand, adhere to, and promote professional ethics
Determining what is the appropriate ethical action can be difficult
Video #199
What are ethics based on?
How can an organization have consistent ethics?
(ISC)2 Code of Ethics Preamble
Safety of the commonwealth, duty to our principals, and to each other
requires that we adhere, and be seen to adhere, to the highest ethical
standards of behavior.
Therefore, strict adherence to this code is a condition of certification.
(ISC)2 Code of Ethics Canons
1.
2.
3.
4.
© Destination Certification Inc.
25
Understand and apply security concepts
Video #94
Focus of security:
Goals of Information Security
Confidentiality
Integrity
Availability
Authenticity
Non-repudiation
5 Pillars of Information Security
26
Non-repudiation
Authenticity
Availability
Information Security
Integrity
Video #252
Confidentiality
1.2
© Destination Certification Inc.
1.3
Evaluate, apply and sustain security governance principles
How do we align the security function to business strategy, goals,
mission, and objectives?
Video #25
Alignment of security function to business strategy, goals, mission, and
objectives
•
•
•
Business must support security through more than just budgets;
must be involved & committed: conviction
The Board of Directors should drive tone from the top
Security should be an enabler
For security to be effective, it is imperative that?
Accountability vs. Responsibility
© Destination Certification Inc.
Video #42
27
Security roles & responsibilities
Organizations must assign security related functions to designated
employees
Who is ultimately accountable for security?
Who is specifically responsible for security?
Due care and due diligence
Video #120
28
© Destination Certification Inc.
1.4
Understand legal, regulatory and compliance issues that pertain to information security in a holistic
context
Cyber crimes and data breaches
Organizations must understand global security trends
Cannot prevent all attacks so security must make attacks:
• Not worthwhile
• Too time consuming
• Too expensive
Video #142
Licensing and intellectual property requirements
Protects
Disclosure
Required
© Destination Certification Inc.
Term of
Protection
Prohibited by
protection
29
Import/export controls
Video #253
ITAR & EAR
Wassenaar Arrangement
Trans-border data flow
• Globalized world economy
• Data is flowing around the globe on the internet
• Organizations must consider flow of data across physical
borders
Data residency (data localization)
Video #203
Privacy
Sensitive data
30
© Destination Certification Inc.
Personal Data
Information that can be used on its own or in combination to identify an
individual
• Name
• Phone number
• Government ID
(e.g. SIN, SSN,
Driver’s License)
• Account numbers
• Certificate /
license numbers
• Biometric data
• Age
• Gender
• Ethnicity
• City
• State
• Zip/postal code
• Email address
• IP Address
• Cookies
Privacy roles & responsibilities
As with security, privacy related functions must be assigned to
designated employees
Privacy requirements
GDPR
United States
•
GLBA, HIPAA, SOX, COPPA
Canada
•
Personal Information Protection and Electronic Documents Act (PIPEDA)
European Union
•
General Data Protection Regulation (GDPR) 2016/679
Argentina
•
Personal Data Protection Law Number 25,326 (PDPL)
South Korea
•
Personal Information Protection Act (PIPA)
Australia
•
Privacy Act
•
Australian Privacy Principles (APPs)
© Destination Certification Inc.
31
OECD Privacy Guidelines
Limit the collection of PII, obtain lawfully, and where
appropriate, with the knowledge or consent of the data
subject
PII should be relevant, accurate, complete and kept upto-date
The purposes for which PII is collected should be
specified when collected
PII should only be used / disclosed based on the purposes
for which it was collected with consent of subject or by
authority of law
PII should be protected by reasonable security
safeguards against loss, unauthorized access,
destruction, use, modification, etc.
There should be a general policy of openness about
developments, practices and policies with respect to PII
An individual (data subject) should have the right to
obtain their data from the controller, and have their data
removed
A data controller should be accountable for complying
with the other principles
Organizations cannot achieve privacy without?
Video #308
Privacy Impact Assessment (PIA)
Typical elements of a PIA
• Data flow analysis
• Legal compliance
• Risk identification
• Mitigation strategies
• Document & reporting
• Review & monitoring
32
© Destination Certification Inc.
Compliance
Organizations must comply with the laws and regulations in the regions /
countries in which they operate
Contractual, legal, industry standards, and regulatory requirements
© Destination Certification Inc.
33
Video #254
1.5
Understand requirements for investigation types
Covered in Section 7.1
34
© Destination Certification Inc.
1.6
Develop, document, and implement security policy, standards, procedures, and guidelines
Policies are ultimately?
Video #84
Perfect Model for Security
Policies
© Destination Certification Inc.
35
Policies, Standards, Procedures, Baselines & Guidelines
Policy
Standard
Examples of Standards:
• Specific anti-virus software
• Specific access control system
• Specific firewall system
• Published guideline (e.g. ISO 27001) adopted
by an organization as a standard.
Procedure
Examples of Procedures:
• User registration
• Contracting for security purposes
• Information system material destruction
• Incident response
Baseline
Examples of Baselines:
• Configurations for intrusion detection systems
• Configurations for access control systems
Guideline
36
Examples of Guidelines:
• Government Recommendations
• Security Configuration Recommendations
• Organizational Guidelines
• Product/System Evaluation Criteria
© Destination Certification Inc.
1.7
Identify, analyze, assess, prioritize and implement Business Continuity (BC) requirements
Covered in Section 7.11
© Destination Certification Inc.
37
1.8
Contribute to and enforce personnel security policies and procedures
Video #26
Candidate screening and hiring
Security should evaluate the following as part of screening and hiring:
Employment agreements and policies
Examples of personnel security policies:
• Acceptable use
• Non-disclosure
• Non-compete
• Ethics
• Code of conduct
Personnel security controls
38
© Destination Certification Inc.
Onboarding and termination processes
Vendor, consultant, and contractor agreements and controls
Enforcement of organizational personnel policies & controls is achieved
through:
Reasonable expectation of privacy
Privacy policy requirements
© Destination Certification Inc.
39
1.9
Understand and apply risk management concepts
Video #7
Risk
The likelihood that a given threat source will exercise a vulnerability and
the resulting impact
Risk Management Process
1.
2.
3.
Video #298
Asset valuation
Focus efforts on tangible or intangible assets that are of greatest value
Assets can be valued using:
40
© Destination Certification Inc.
Risk Analysis
Video #298
Risk analysis key factors
• Obtain Management Support
• Define and approve purpose and scope
• Review findings & recommendations with Management
Threats & Vulnerabilities
© Destination Certification Inc.
41
Identify threats & vulnerabilities
Examples include:
• Natural / Environmental
• Cultural
• Human
• Operational / Process
• Technical
• Physical
Qualitative & quantitative analysis
42
© Destination Certification Inc.
Quantitative risk calculation (ALE, SLE, Asset value, Exposure factor &
ARO)
© Destination Certification Inc.
Video #89
43
Risk response / treatment
Video #8
Cybersecurity Insurance
Specialized insurance product designed to help organizations protect
against financial losses resulting from cyber-related incidents
Types of controls
Video #104
44
© Destination Certification Inc.
Countermeasure selection and implementation
Video #143
Control types
Functional & Assurance
© Destination Certification Inc.
45
Video #129
Video #9
Risk Management Terms
How much security is enough?
Selecting controls
46
© Destination Certification Inc.
Measuring control effectiveness & reporting
Various stakeholders expect reports on control status including:
management, regulators, customers, etc.
Data for control status can originated from: internal monitoring, internal
or external auditors, third-party reports, etc.
Continuous improvement
Risk management supply chain
Video #150
Risk Frameworks
Frameworks provide comprehensive guidance for structuring and
conducting risk management
NIST 800-37 | ISO 31000 | COSO | ISACA Risk IT
NIST 800-37 – Risk Management Framework (RMF) Steps
1
2
3
4
5
6
7
© Destination Certification Inc.
47
1.10 Understand and apply threat modeling concepts and methodologies
Video #172
Threat modeling
Threat modeling methodologies
STRIDE
Threat
Violation
Definition
S
T
R
I
D
E
48
© Destination Certification Inc.
PASTA
1.
Define Objectives
2.
Define Technical Scope
3.
Application Decomposition
4.
Threat Analysis
5.
Vulnerability & Weakness Analysis
6.
Attack Modeling
7.
Risk & Impact Analysis
DREAD
Video #218
Key Point
Definition
D
R
E
A
D
© Destination Certification Inc.
49
Social Engineering
Video #96
50
© Destination Certification Inc.
1.11 Apply Supply Chain Risk Management (SCRM) concepts
Video #35
What can companies acquire?
Risks associated with hardware, software, and service
Security must be considered for acquisitions:
• Baseline Security Requirements
• Security Training
• Common Definitions
Security must be part of procurement process:
• Contracts
• Agreements
• SLAs
Minimum security requirements
• Consult with the appropriate stakeholders
• Define clear & concise security requirements
• Document, share & validate
• Obtain agreement on requirements from stakeholders
Service Level Requirements (SLR)
When acquiring a service define organizational requirements:
• Detailed service descriptions
• Detailed service level targets
• Mutual responsibilities
SLR informs the procurement process and subsequently the SLA
Service Level Agreement (SLA)
Video #51
Service Level Report
Example report components:
• Achievement of metrics defined in the SLA
• Identification of issues
• Reporting channels
• Management
• 3rd parties
Third-party assessment and monitoring
• Many service providers will not allow an organizations auditor’s
onsite to perform an audit
• Instead organizations can rely on the audit report from a
trusted third-party audit firm
• This is known as third-party assurance
© Destination Certification Inc.
51
Video #257
Risks associated with the acquisition of products and services
Risks: malfunction, health hazards, compromised
integrity & introduction of malicious code or
vulnerabilities
Risks: reduced performance, potential hazards, noncompliance with regulations, lack of proper security
measures, increasing vulnerability
Risks: secretly transmit sensitive information to
unauthorized entities, allow unauthorized access to
systems, can remain undetected for extended
periods
Risk mitigations
Third-party
assessment and
monitoring
Evaluating and continuously monitoring the security
practices and performance of third-party vendors or
suppliers
Minimum
security
requirements
Predefined baseline security standards that vendors
must meet
Service level
requirements
Specifications set in contracts that dictate the
expected performance, availability, and
responsiveness of a service provided by a vendor
52
© Destination Certification Inc.
1.12
Establish and maintain a security awareness, education, and training program
Who is responsible for security?
•
•
Video #144
However, people must know what to do
Awareness, Training & Education deliver key principles
Awareness, training & education
Methods and techniques to present awareness and training
•
•
•
•
•
Live in-person
Live online
Pre-recorded
Requirements / rewards
Regular communications / campaigns
Prioritization of topics
Organizations cannot provide awareness, training & education on
everything to everyone
• Determine topics of greatest value
• Specifically tailor to audience
Periodic content reviews
Organizations and their threat environments are constantly changing
Awareness, training & education materials must be updated accordingly
Program effectiveness evaluation
•
•
Participant survey
Participant knowledge testing
© Destination Certification Inc.
53
Domain 2
Asset Security
54
© Destination Certification Inc.
2.1 Identify and classify information and assets
Video #85
Identification & ownership come before classification.
Must create an asset inventory and identify owners for assets
Data Classification
Data classification ensures that information (assets) receive an
appropriate level of protection
Information classification benefits
•
•
•
Identification of critical information
Identification of sensitivity to modification
Commitment to protect
Who determines classification?
Classification process
© Destination Certification Inc.
55
Video #200
Classification vs. Categorization
Classification examples
• Financially sensitive
• Proprietary
• Trade Secret
• Personally Identifiable Information (PII)
Labeling & Marking
Labeling methods
56
© Destination Certification Inc.
2.2 Establish information and asset handling requirements
Video #46
Handling requirements
Media handling
Media storage
Storage requirements for media are based on the classification of the
data
Media retention & destruction
Retention and destruction are based on data classification and data
archiving policies
© Destination Certification Inc.
57
2.3 Provision information and assets securely
Video #44
Who is the data owner?
Owners need to have clearly defined accountabilities including:
• Defining classification
• Approving access
• Retention & destruction
Different types of owner
• Data Owners
• Process Owners
• System Owners
Video #2
Data classification policy
Information classification policy considerations
58
© Destination Certification Inc.
2.4 Manage data lifecycle
Data roles
Video #202
Data life cycle
© Destination Certification Inc.
59
Manage the data life cycle
Video #233
What is Data Remanence?
Categories of sanitization
1
2
3
60
© Destination Certification Inc.
Data deletion methods
© Destination Certification Inc.
61
Object Reuse
Video #258
Solid State Drives data destruction
• Flash memory cannot be overwritten
• Some manufacturers provide sanitization or crypto erasure
capabilities
• Best option is always destruction of media
Encryption
__________________ destruction of media is best
62
© Destination Certification Inc.
2.5 Ensure appropriate asset retention
How do we keep data for a long time?
Video #45
Data archiving
Must understand requirements for protecting information when it is
archived:
• Media type
• Security requirements
• Availability requirements
• Retention period
Retention policies are part of the overall Data Classification policy
Data archiving policies
• Archiving / retention policy is based on laws, regulations &
business needs
• Classify records accordingly
• Train employees
• Provide employees with the right tools
Questions to consider when writing policy:
• Who needs access to the data?
• Do access requirements change over time?
• How long does data need to be kept?
• Data disposal requirements?
© Destination Certification Inc.
63
2.6 Determine data security controls and compliance requirements
Video #59
Best way to ensure data receives appropriate protection based on
classification?
Methods for protecting data
What is data at Rest?
Protecting data at Rest
What is data in Transit?
Protecting data in Transit
64
© Destination Certification Inc.
End-to-end encryption
Link encryption
Onion network
© Destination Certification Inc.
65
Video #207
Information obfuscation methods
Information Pruning
Scoping and Tailoring
Video #261
Data protection methods
Digital Rights
Management
(DRM)
Information
Rights
Management
Data Loss
Prevention
(DLP)
Cloud Access
Security
Broker (CASB)
66
Set of access control technologies for restricting the
use, distribution, modification, etc. of data and other
intellectual property
Subset of DRM focused on protecting sensitive
information from unauthorized access. Typically
deployed in an organizational setting (e.g. Secure PDF
files)
Suite of technologies designed to detect and prevent
the exposure / loss / leakage of sensitive information
Security technology that provides visibility, policy
enforcement, and threat protection for cloud-based
applications and services
© Destination Certification Inc.
Domain 3
Security Architecture
and Engineering
© Destination Certification Inc.
67
3.1
Research, implement and manage engineering processes using secure design principles
Security’s involvement in building anything
Video #211
How do we know what security controls to include at each phase?
Secure design principles
• Threat modeling
• Least privilege
• Defense in depth
• Secure defaults
• Fail securely
• Separation of Duties (SoD)
• Keep it simple
• Zero trust
• Trust but verify
• Privacy by design
• Shared responsibility
• Cyber Kill/Attack Chain
Keep it simple
Zero Trust
© Destination Certification Inc.
69
Principles for zero trust
1
know your architecture including users, devices, and services
2
know your user, service and device identities
3
know the health of your users, devices and services
4
use policies to authorise requests
5
authenticate everywhere
6
focus your monitoring on devices and services
7
don’t trust any network, including your own
8
choose services designed for zero trust
Trust but verify
• Locking down architectures and focusing on prevention only is
outdated
• instead, focus on complete controls based on detection and
response as well
• this is especially important for reliance on third party services,
including Cloud
• increased need to monitor, and trust through assurance
mechanisms
o audits
o ongoing monitoring
o SOC reporting
o Contracts/agreements
Privacy by Design
70
© Destination Certification Inc.
Shared responsibility
• Relating to security in third party services, eg Cloud
• Increased reliance on third party services requires clarity on
shared security expectations
• Responsibility vs accountability must be clearly understood by
the company using 3rd parties
• consumers and providers must take action on these
responsibilities by having clear contracts and agreements and
then implementing appropriate policies and procedures and
controls.
Cyber Kill / Attack Chain
© Destination Certification Inc.
Video #315
71
3.2
Understand the fundamental concepts of security models
Video #99
What is a model?
Concept of security
Enterprise Security Architecture
Video #1
Enterprise
Security
Architecture
72
© Destination Certification Inc.
3 major Enterprise Security Architectures
Security Models
© Destination Certification Inc.
Video #72
73
Bell-LaPadula
Biba
Layer of
Read
Write
Send
Layer of
74
© Destination Certification Inc.
Lipner implementation
Information flow
Video #27
Covert channels
Clark-Wilson: 3 Goals of Integrity
1
2
3
2
3
Clark-Wilson: 3 Rules
1
© Destination Certification Inc.
75
Brewer-Nash (The Chinese Wall) Model
Graham–Denning Model
Harrison–Ruzzo–Ullman Model
Deals with integrity of access rights
Finite set of procedures available to edits access rights of a subject
Video #47
Evaluation Criteria
Certification and accreditation
76
© Destination Certification Inc.
Orange Book / Trusted Computer System Evaluation Criteria (TCSEC)
Orange Book Evaluation Criteria
A1
Verified design
B3
Security labels, verification of no covert channels, and must
stay secure during start-up
B2
Security labels and verification of no covert channels
B1
Security labels
C2
Strict login procedures
C1
Weak protection mechanisms
D1
Failed or was not tested
Information Technology Security Evaluation Criteria (ITSEC)
ITSEC improves on the Orange Book by:
•
Functional measurements are the same as Orange Book
•
Assurance measurements are E levels
ITSEC (Assurance) E Levels
E6
Formal end-to-end security tests + source code reviews
E5
Semi-formal system + unit tests and source code review
E4
Semi-formal system + unit tests
E3
Informal system + unit tests
E2
Informal system tests
E1
System in development
E0
Inadequate assurance
© Destination Certification Inc.
77
Video #60
Common Criteria
Common Criteria Process
78
© Destination Certification Inc.
Common Criteria EAL levels
EAL7
EAL6
EAL5
EAL4
EAL3
EAL2
EAL1
© Destination Certification Inc.
79
3.3
Select controls based upon systems security requirements
Video #299
What do security control frameworks provide?
Security control frameworks
80
© Destination Certification Inc.
ISO 27001
ISO 27000 family
ISO 27001 domains:
1. Information security policies
2. Organization of information security
3. Human resource security
4. Asset management
5. Access control
6. Cryptography
7. Physical and environmental security
8. Operations security
9. Communications security
10. System acquisition, development and maintenance
11. Supplier relationships
12. Information security incident management
13. Information security aspects of business continuity
management
14. Compliance
© Destination Certification Inc.
81
3.4
Understand security capabilities of information systems
Video #117
Subjects & objects
Video #130
Reference Monitor Concept (RMC)
RMC features include:
• must mediate all access
• be protected from modification
• be verifiable as correct
• always be invoked
82
© Destination Certification Inc.
Security Kernel
3 principles of RMC & Security Kernel
To have security, the RMC and its implementation, the Security Kernel,
must satisfy 3 principles
Trusted Computing Base (TCB)
Totality of protection mechanisms within an architecture:
Examples of components within the TCB:
• Processors (CPUs)
• Memory
• Primary Storage
• Secondary Storage
• Virtual Memory
• Firmware
• Operating Systems
• System Kernel
Example TCB, RMC & Security Kernel Question
A user logs into their laptop by entering their username and password. Is
this?
TCB
RMC
Security Kernel
© Destination Certification Inc.
83
Video #262
Processors
Processor States
Operating modes for the processor that restrict the operations that can
be performed by certain processes
Process Isolation
Prevents objects from interacting with each other and their resources
Actions of one object should not affect the state of other objects
Secure Memory Management
Prevent a process from accessing memory that has not been allocated to
it
84
© Destination Certification Inc.
Secure Memory Management vs. Memory Segmentation
Memory Segmentation
Secure Memory Management
Allows for setting access control
rules on each segment of
memory.
Focused on protecting memory
from unauthorized access and
corruption
The OS can control which
processes have read, write, or
execute permissions for each
segment.
Broader Term
Includes: Memory
segmentation, preventing buffer
overflows, etc.
Types of Storage
Video #10
Examples of primary storage:
• Cache
• Registers
• RAM
Examples of secondary storage:
• Magnetic drives
• Optical media
• Tapes
• SSD
Virtual Memory
Firmware
Software that provides low-level control of hardware
Firmware is the code that boots the hardware up
Video #173
System Kernel
Supervisory element that coordinates the components
© Destination Certification Inc.
85
Privilege Levels
Subjects of higher trust can access more system instructions and operate
in privileged mode
Subjects with lower trust can only access a smaller portion of system
instructions and operate in user mode
Video #151
Ring protection model
Middleware
Layer of software that enables interoperability (glue) between different
incompatible applications
86
© Destination Certification Inc.
Data Hiding
Prevent data at one security level from being seen at another level
Virtualization
Creating a virtual version of something to abstract away from the true
underlying hardware or software
Video #52
Layering / Defense in depth
Combining multiple security controls to protect systems
© Destination Certification Inc.
87
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
Video #79
Single point of failure
Reduce risk of single point of failure
Bypass controls
Reduce risk of bypass controls
88
© Destination Certification Inc.
Race conditions
TOCTOU
Reduce risk of race conditions
Emanations
Reduce risk of emanations
Vulnerabilities in systems
Video #174
Where is it hardest to detect vulnerabilities?
© Destination Certification Inc.
89
To protect anything:
Reduce risk in mobile-based systems
Reduce risk in client & server-based systems
OWASP
Video #106
Mobile devices
Reduce risk of mobile devices & mobile workers
90
© Destination Certification Inc.
Mobile device policy
Remote access security
End-point security
OWASP Mobile Top 10
M1
Improper Platform Usage
M2
Insecure Data Storage
M3
Insecure Communication
M4
Insecure Authentication
M5
Insufficient Cryptography
M6
Insecure Authorization
M7
Poor Client Code Quality
M8
Code Tampering
M9
Reverse Engineering
M10
Extraneous Functionality
Video #152
Distributed systems
Grid computing
© Destination Certification Inc.
91
Data warehouse
Big Data
Examples of big data tools:
• Hadoop
• MongoDB
• Tableau
Data mining / analytics
Inference & aggregation
Reduce risk of inference & aggregation
92
© Destination Certification Inc.
Industrial Control Systems (ICS)
General term for control systems (hardware & software) used in
industrial processes and critical infrastructure
Video #131
OT vs ICS
Types of ICS
SCADA
DCS
PLC
Reduce risk in Industrial Control Systems
Internet of Things (IoT)
Reduce risk of Internet of Things (IoT)
© Destination Certification Inc.
93
Video #164
Cloud Computing
Characteristics of cloud computing
On-demand
self-service
Users can request services and sophisticated
software at cloud provider automatically
provisions
Broad network
access
Access to cloud resources are available from
multiple device types from multiple locations
Resource
pooling
Easily provisionable and scalable resources which
can appear infinite (compute, storage, network)
Rapid elasticity
and scalability
Ability to quickly provision and de-provision
resources
Measured
service
Usage of resources is monitored and reported to
the consumer, providing visibility and
transparency of rates and costs
Multi-tenancy
Resources are allocated such that multiple
consumer’s (Tenant’s) computations and data are
isolated from and inaccessible to one another
Cloud service models
Video #132
94
© Destination Certification Inc.
Cloud deployment models
Virtual Private Cloud (VPC)
Provides a logically isolated and customizable portion of a public cloud
provider's infrastructure to a customer
Cloud computing roles
© Destination Certification Inc.
Video #204
95
Accountability vs. Responsibility
Video #303
Compute
Virtual Machines
Instead of running directly on the hardware, code (e.g. an operating
system) runs on top of an abstraction layer (more code)
96
© Destination Certification Inc.
Hypervisor Types (VM Monitors)
Cloud VM forensics
Containers
Highly portable code execution environments that run within an
operating system, sharing and leveraging resources of that operating
system
Dividing up services
© Destination Certification Inc.
97
Microservices
Application services are divided up and loosely coupled. Each service can
run in its own container. Services communicate via APIs
Serverless
Simple functions are written and stored in the cloud. Functions can be
called as much or as little as desired. Zero usage = zero costs
Common cloud protocols
Video #198
Video #263
Edge Computing
Distributed computing paradigm that brings computation and data
storage closer to the location where it is needed to improve response
times and save bandwidth
Secure Access Service Edge (SASE)
Combines network security and wide-area networking (WAN)
capabilities into a cloud-based service
Embedded devices
Combination of computer hardware and software designed for a specific
function
98
© Destination Certification Inc.
High Performance Computing
Ability to process data and perform complex functions at high speeds
(e.g. Supercomputers)
Cross Site Scripting (XSS)
Video #68
2
3
1
4
3
2
5
4
1
© Destination Certification Inc.
99
Types of XSS
Injected code is stored on the server and
sent to all subsequent visitors (victims)
Injected code is passed to vulnerable server
via URL and reflected to the victim
Client-side DOM environment is modified
and malicious code injected
Video #90
Cross Site Request Forgery (CSRF)
2
3
1
4
XSS vs. CSRF
Unwanted action performed on
the user’s browser
Unwanted action performed on
a trusted website
User’s browser (Client) runs
malicious JavaScript code
Website (Server) executes a
command from Trusted User’s
browser
100
© Destination Certification Inc.
Structured Query Language (SQL)
Video #90
SQL Injection
SQL Commands
CREATE
ALTER
DROP
TRUNCATE
RENAME
SELECT
INSERT
UPDATE
DELETE
MERGE
LOCK TABLE
GRANT
REVOKE
COMMIT
ROLLBACK
SAVEPOINT
SQL Injection code examples
SELECT * FROM users
INSERT INTO users (userID, password) VALUES (rob, Pass123)
DROP accountsReceivable
© Destination Certification Inc.
101
Video #118
Root of all evil is?
Input Validation
Reduce risk of web-based vulnerabilities
102
© Destination Certification Inc.
3.6
Select and determine cryptographic solutions
History of Cryptography
Video #14
Cryptographic evolution
© Destination Certification Inc.
103
Video #112
5 Services of Cryptography
Data protection
Everyday uses of cryptography
104
© Destination Certification Inc.
Cryptographic definitions
• Art and science of writing secrets
• Accomplished by a cryptosystem
© Destination Certification Inc.
Video #138
105
Encryption / Decryption
Key Space
Methods of encryption
Video #138
106
© Destination Certification Inc.
Substitution
Transposition
Transposition: Rail Fence (zigzag) cipher
Transposition ciphers
© Destination Certification Inc.
107
Synchronous vs. asynchronous
Video #73
Repeating patterns must be avoided
Most common letter in the English language?
Most common 3 letter word in the English language?
Most common 4 letter word in the English language?
108
© Destination Certification Inc.
Substitution patterns in monoalphabetic ciphers
Substitution - Polyalphabetic ciphers
Substitution - Running key ciphers
Substitution - One-time pads
© Destination Certification Inc.
109
Video #86
Stream vs. block ciphers
Stream ciphers
Block ciphers
110
© Destination Certification Inc.
Symmetric Block modes
Which are faster: stream or block ciphers?
© Destination Certification Inc.
111
Video #3
Symmetric Cryptography
Advantages
Disadvantages
Symmetric Algorithms
Algorithm
Key length
Block length
Other Symmetric
Algorithms
Strength
Weak
Medium
Strong
Very
Strong
112
Name
Key Length
RC2-40
40
DES
56
RC5-64/16/7
56
RC5-64/16/10
80
Skipjack
80
RC2-128
128
RC5-64/12/16
128
IDEA
128
Blowfish
128
3DES
168 = 112
RC5-64/12/32
256
Twofish
256
RC6
256
Rijndael (AES)
128, 192, or 256
© Destination Certification Inc.
DES / 3DES
Rijndael / Advanced Encryption Standard (AES)
• US government saw that DES was getting obsolete and started
the Advanced Encryption Standard competition
• 30 algorithms were evaluated over 4 years
Out-of-band key distribution
© Destination Certification Inc.
113
Video #87
Asymmetric Cryptography
Advantages
Disadvantages
Asymmetric Algorithms
114
© Destination Certification Inc.
Hard math problems
Factoring & Discrete Logs asymmetric algorithms depend on using very
large prime numbers
When using such large numbers, it is very difficult to work backwards to
determine the original integers
Diffie-Hellmann Key Exchange Protocol
Video #113
© Destination Certification Inc.
115
Video #80
Hybrid Cryptography
Steganography & null cipher
Video #15
116
© Destination Certification Inc.
Message Integrity Controls
Video #28
Message
Integrity
Controls
Parity
Hash Functions
Keyed Hash
HMAC
Checksum
CRC
(Cyclical Redundancy Check)
Digital
Signature
Hashing functions
Hashing
Key properties of hashing algorithms
Hashing Algorithms
Collisions
© Destination Certification Inc.
117
Birthday Attack/Paradox
Video #145
Digital Signatures
Services provided by Digital Signatures
Creating Digital Signatures
Uses of Digital Signatures
• In many countries digital signatures have the same legal
significance as traditional signed documents
• Verify integrity and authenticity of software updates / patches
• Nonrepudiation:
o Sender cannot deny sending the message.
o Recipient cannot claim receiving a different message
than the original
Video #304
Code signing and validation
Method of using a digital signature to sign executables and scripts in
order to verify the author's identity and ensure that the code has not
been changed or corrupted since it was signed by the author
118
© Destination Certification Inc.
How can we be certain we have someone’s public key?
Digital Certificates
© Destination Certification Inc.
Video #146
119
Digital Certificate Standard
Video #91
Root of trust
Who issues certificates?
120
© Destination Certification Inc.
Digital Certificate Replacement & Revocation
Revocation methods
Certificate lifecycle
Enrollment
Issuance
Validation
Revocation
Renewal
Certificate Pinning
© Destination Certification Inc.
121
Video #180
Public Key Infrastructure
122
© Destination Certification Inc.
Components of PKI
Certificate
Authority (CA)
Registration
Authority (RA)
Intermediate /
Issuing CA
Certificate DB
Certificate Store
Without a PKI it is possible to encrypt and send data, but you cannot
verify the identities of the other parties
© Destination Certification Inc.
123
Video #264
MIME headers
Used by protocols such as email, HTTP, and others to indicate the nature
and format of a document or file being transmitted
S/MIME
Provides a secure way to send and receive MIME data
Video #146
Key Management
Kerckhoffs’s Principle
Key management activities
Key Creation
Key Distribution
124
© Destination Certification Inc.
Key Storage
Key Rotation
Key Recovery
Key disposition / destruction
© Destination Certification Inc.
125
Putting it all together
126
© Destination Certification Inc.
3.7
Understand methods of cryptanalytic attacks
Video #20
Cryptanalysis
Science of:
• Cracking codes
• Decoding secrets
• Violating authentication schemes
• Breaking cryptographic protocols
• Finding and correcting weaknesses in encryption algorithms
Types of Cryptanalysis attacks
Cryptanalytic Attacks
•
•
•
•
•
•
•
Cryptographic Attacks
Brute force
Ciphertext only
Known plaintext
Chosen plaintext
Chosen ciphertext
Linear & Differential
Factoring
•
•
•
•
•
•
•
•
•
•
•
•
Man-in-the-middle
Replay
Pass the hash
Temporary files
Implementation
Fault injection
Side channel
Dictionary attack
Rainbow tables
Birthday
Kerberos exploitation
Social engineering
What is the primary goal of Cryptanalytic attacks?
Brute force attack
Key Length
Key Space
Attack Time
56
7.2 x 1016
20 hours
80
1.2 x 1024
54,800 years
128
3.4 x 1038
1.5 x 1019 years
256
1.15 x 1077
5.2 x 1057 years
Cryptanalytic attacks
Algorithm
Ciphertext
Plaintext
Device
Details
Ciphertext
only
Known
plaintext
Chosen
plaintext
Chosen
ciphertext
Linear & differential
Factoring
© Destination Certification Inc.
127
Video #176
Man-in-the-middle attack
Replay attack
Pass the Hash
Video #177
Temporary files attack
Implementation attacks
Fault injection
128
© Destination Certification Inc.
Side channel attacks
Dictionary attacks
Video #305
Rainbow tables
Reducing the risk of rainbow tables
Birthday attack
Video #178
Kerberos exploitation
• Kerberos IV only uses DES encryption and therefore prone to
brute force attacks
• Kerberos V supports plug-in encryption such as 3DES, IDEA, etc.
• Authentication requires good implementation practices, to
prevent ticket stealing and replay attacks
• Kerberos authentication may be prone to brute force attacks
against the KDC
Social engineering
© Destination Certification Inc.
129
3.8
Apply security principles to site and facility design
Video #220
Goals of Physical Security
Physical security provides protection from outside the perimeter…
… to all assets within
Primary goal of physical security?
Physical security controls
Threats to physical security
Example physical security threats
• Theft
• Espionage
• Dumpster diving
• Social engineering
• Shoulder surfing
• HVAC access
Layered defense model
130
© Destination Certification Inc.
Physical security systems and methods
How do we decide which physical security controls to put in place?
Video #185
Risk Management Process
Security Survey
Site Planning
Higher Value Areas
© Destination Certification Inc.
131
3.9 Design site and facility security controls
Perimeter
Video #306
Closed Circuit TV (CCTV)
Passive infrared devices
External Monitoring / Lighting
Interior monitoring
Doors
Interior Access Control (mantraps)
132
© Destination Certification Inc.
Locks
Video #183
What determines the security of a combination lock?
Card Access / Biometrics
Windows
• Standard Plate Glass
• Tempered Glass
• Wired Glass
• Laminated Glass
• Polycarbonate
• Solar Films
Video #37
Shock / glassbreak sensors
© Destination Certification Inc.
133
Video #155
Walls
Intrusion Detection Systems
Video #181
Skimming
Site Location
• Crime
• Riots
• Natural disasters
• Adjacent buildings
• Airport
• Highway / railway
• Military base
• Emergency support services
Video #166
Infrastructure Support Systems
Power
Disruptions in electrical power can have a serious business impact.
Goal is to have clean and steady power
Uninterruptible Powers Supply (UPS)
134
© Destination Certification Inc.
Generators
Power Outages & Degradation
period of time
period of time
Heating Ventilation & Air Conditioning (HVAC)
Positive Pressurization
Ideal Temperature & Humidity
© Destination Certification Inc.
135
Video #21
Fire
Requires: Fuel, oxygen & heat
Dealing with the Risk of Fire
Fire Detectors
Best way to prevent or limit damage from a fire?
Video #54
Water Based Fire Suppression Systems
136
© Destination Certification Inc.
Gas Based Fire Suppression Systems
Fire Extinguishers
Class
Type of fire
Suppression agents
D
Combustible metals
Dry powders
K
Commercial kitchens
Wet chemicals
© Destination Certification Inc.
137
3.10 Manage the information system lifecycle
Information System Lifecycle
The entire lifespan of an information system, from its initial
conceptualization to its eventual decommissioning
138
© Destination Certification Inc.
Domain 4
Communication and Network
Security
4.1
Assess and implement secure design principles in network architectures
Video #4
What is a network?
What is a protocol?
What is the OSI Model?
© Destination Certification Inc.
Video #62
141
Open System Interconnection (OSI) Model
OSI
Description
Devices & Protocols
Network capabilities of
applications
Formatting of data
Interhost communication
End-to-end connection
with error correction &
detection
Logical addressing, routing
and delivery of packets
Physical addressing, and
reliable point-to-point
connection
Binary transmission of
data across physical media
(wire, fiber, etc.)
142
© Destination Certification Inc.
TCP/IP
OSI Model names
Layer
Protocol Data Unit
7 Application
6 Presentation
Example
HTTPS
Data
5 Session
JPEG
NetBIOS
4 Transport
Segments/datagrams
3 Network
Packets
Router
2 Data Link
Frames
Switch
1 Physical
Bits
TCP/UDP Ports
Fiber Optic Cable
Layer 1: Physical
• Binary transmission of data across physical media (wire,
wireless, etc.)
• Conversion of bits into light, electrons or radio waves
• Provides transfer of a bit stream over wires, optical cable or
airwaves
• Physical or virtual connection for transmission between data
link entities
Video #88
Transmission media
Optical fiber
© Destination Certification Inc.
143
Crosstalk
Crosstalk is least of an issue with which media?
Criteria for selecting media
• Confidentiality
• Bandwidth
• Distance
• Geography
Video #88
Transport architecture
144
© Destination Certification Inc.
Network Topologies
Video #267
topology
topology
E.g. In a physically star-shaped network, the logical
topology might be a bus if all communications are
being broadcast to all nodes.
© Destination Certification Inc.
145
Planes
plane
plane
(Route calculation / path determination, OSPF,
BGP)
plane
(Packet forwarding & switching)
Cut-through vs. Store-and-forward
Transmission Methods
Video #268
146
© Destination Certification Inc.
North-south and east-west traffic patterns
Crucial considerations when designing network architecture, as they
impact the choice of network topologies, routing protocols, and security
strategies
Traffic flows
traffic
Traffic between clients on the Internet and servers
within the data center (southbound), or vice versa
(northbound)
traffic
The data that moves laterally between servers,
storage systems, and applications within the data
center or across data centers
Considerations N-S and E-W traffic
Traditionally, E-W traffic is considered safer and typically trusted
N-S traffic requires stricter security policies
Advent of Zero Trust requires scrutiny for both through more granular
attribute-based access control and monitoring
© Destination Certification Inc.
147
Video #270
Video #271
Dealing with collisions
Physical segmentation
148
© Destination Certification Inc.
Performance metrics
Video #272
Layer 1 Devices
Video #307
Layer 2: Data Link
• Physical addressing, and reliable point-to-point connection
• Responsible for reliable delivery of information over a point-topoint or multi-point network
• Translates data info bits and formats in Frames
• Can be divided into Logical Link Control and Media Access
Control
• Common place to implement link encryption
• Provides error detection via checksums
© Destination Certification Inc.
149
Video #100
Physical addressing
Circuit Switched Network
Connection is established permanently or on demand and is maintained
between switches in order to route traffic to the correct destination
Transmission of digital data over analog connections
Encapsulate the Internet Protocol to enable transmission of digital data
over analog connections
Packet Switched Network
Each data packet contains information such as addresses and sequence
numbers
Switches switch the packets to the final destination based on the header
information and network conditions
150
© Destination Certification Inc.
Authentication Protocols
Video #125
Protected Extensible Authentication Protocol (PEAP)
Encapsulates EAP within an encrypted and authenticated TLS tunnel
Common types of EAP
Video #319
Type
Client
Authentication
Server
Authentication
Security
Industry
Support
Proprietary
EAPTLS
Certificate
Certificate
High
High
No
EAPTTLS
ID &
Password
Certificate
Medium
Medium
EAPPEAP
ID &
Password
Certificate
Medium
High
LEAP
ID &
Password
ID &
Password
Low
High
EAPMD5
ID &
Password
-
Low
Low
Yes
Certicom
Kinda
© Destination Certification Inc.
Cisco,
RSA &
Microsoft
Yes
Cisco
No
151
Layer 2 Devices
Layer 2 Protocols
152
© Destination Certification Inc.
Layer 3: Network
• Logical addressing, routing and delivery of packets
• Selects and manages a route chosen from the available links
arranged as a network
• Can determine alternate routes to avoid congestion or node
failure
• Data is transferred via packets
• A place to implement link, or end-to-end encryption
Video #229
Internet Protocol (IP)
Logical Addressing
LAN technologies
IEEE – Institute of Electric and Electronic Engineers
Wired
Wireless
Virtual LANS
Ethernet
IEEE 802.3
WLAN
IEEE 802.11
VLAN
IEEE 802.1Q
© Destination Certification Inc.
153
Video #139
Internet protocol v4
Internet protocol v6
IPv4 vs. IPv6
Deployed
1974
1999
4,294,967,296
340,282,366,920,938,463,463,374,607,431,768,211,456
10.0.0.1
2001:0db8:85a3:0000:
0000:8a2e:0370:7334
Address
Size
Address
space
Address
format
IPSec
154
© Destination Certification Inc.
Private IPv4 addresses
Video #208
Network Classes (subnetting)
# of addresses
Class
Class
Class
Class
Multicast address
Class
Reserved
Layer 3 Protocols
Layer 3 Devices
© Destination Certification Inc.
155
Video #74
Layer 4: Transport
• End-to-end connection with error correction & detection
• Ensures host-to-host information transfer
• Provides reliable, transparent data transfers between session
entities
• Isolates the user from any concerns about the actual movement
of the information
• A place to implement end-to-end encryption
TCP & UDP
TCP vs. UDP headers
156
© Destination Certification Inc.
TCP 3-Way Handshake
Video #114
Ports
Common Ports
Video #320
Layer 4 Protocols
© Destination Certification Inc.
157
Video #30
Layer 5: Session
• Interhost communication
• Coordinates communications dialogue between cooperating
application processes
• Maintains a logical connection between two processes on end
hosts
• Ideal place for identification and authentication
Layer 5 Protocols
Layer 5 technologies
Circuit, Proxy, Firewalls
Layer 6: Presentation
• Formatting & encryption of data for end user
• Ensures compatible syntax in how the information is
represented for exchange by applications
• Provide translation, encryption/decryption and
compression/decompression
158
© Destination Certification Inc.
Layer 7: Application
• Network process of applications
• Provides a user interface through which the user gains access to
the communication services
• Ideal place for end-to-end encryption and access control
Layer 7: Protocols
Secure Shell (SSH)
Secure remote administration protocol (remote command-line, login,
and remote command execution)
Layer 7 technologies
• Gateways
• Application, Proxy, Firewalls
© Destination Certification Inc.
159
Layer 7 Devices
Video #126
Convergence
Converged protocols
Voice
VoIP Protocols
Secure (encryption,
Initiating, maintaining, and
authentication, integrity & replay terminating voice and video
attack protection) of RTP for
sessions
streaming voice and video over IP
Vishing
160
© Destination Certification Inc.
Network Attack Phases
Video #321
Network attacks
Passively Eavesdropping
Actively Scanning Ports
SYN Scanning
© Destination Certification Inc.
161
SYN Flooding
Video #75
IP Based Attacks
162
© Destination Certification Inc.
DoS & DDoS
Man-in-the-Middle
Spoofing
Network Exploit Tools
© Destination Certification Inc.
163
ARP Poisoning
Video #101
Wireless
Wireless Radio Spectrum
Wireless Radio Spectrum
0
100
200
300
400
500
600
700
800
900
1GHz
3GHz
5GHz
10GHz
28GHz
Digital Cellular (1850-1900 MHz)
Cordless Phones, Baby Monitors, Toys (900 MHz)
Analog Cellular (824-894 MHz)
UHF TV (512 – 806 MHz)
FM Radio (88 – 108 MHz)
VHF TV (174 – 216 MHz)
AM Radio (535 – 1605 KHz)
164
© Destination Certification Inc.
38GHz
Wireless Technologies
Wireless Network Architecture
Radio Frequency Management
© Destination Certification Inc.
165
802.11 wireless
Type
Frequency
Top speed
802.11
2.4 GHz
2 Mbps
802.11a
5 GHz
54 Mbps
802.11b
2.4 GHz
11 Mbps
802.11g
2.4 GHz
54 Mbps
802.11n
2.4 GHz & 5 GHz
72-600 Mbps
802.11ac
5 GHz
422 – 1300 Mbps
Wireless LAN Security Mechanisms
802.11 Security Solutions
802.1x
Dynamic
WEP
Wi-Fi
Protected
Access
(WPA)
Wi-Fi
Protected
Access 2
(WPA2)
Access Control
802.1X
802.1X or
Pre-Shared Key
802.1X or
Pre-Shared Key
Authentication
EAP methods
EAP methods
or Pre-Shared
Key
EAP methods
or Pre-Shared
Key
Encryption
WEP
TKIP (RC4)
CCMP (AES
Counter Mode)
Integrity
None
Michael MIC
CCMP
(AES CBC-MAC)
Wireless Authentication
Require an authenticated key exchange mechanism
Extensible Authentication Protocol (EAP)
• One factor: EAP-MD5, LEAP, PEAP-MSCHAP, TTLS-MSCHAP,
EAP-SIM
• Two factor: EAP-TLS, TTLS with OTP, and PEAP-GTC
Need mutual authentication
Wireless Encryption
Temporal Key Integrity Protocol (TKIP)
• Uses RC4 Stream Cipher with 128 bit per-packet keys
Counter-Mode-CBC-MAC Protocol (CCMP)
• Uses Advanced Encryption Standard (AES) with 128 bit keys
Wireless Integrity Protection
TKIP uses a Message Integrity Code called “Michael”
CCMP uses AES in CBC-MAC mode
166
© Destination Certification Inc.
TKIP
•
•
•
•
•
TKIP (Temporal Key Integrity Protocol)
Designed to replace WEP without requiring the replacement of
legacy hardware
Required due to significant flaw found in WEP
Sends each new packet with a unique encryption key (key
mixing)
TKIP is no longer considered secure and is superseded by AES
5G
•
•
•
Mutual authentication capabilities
Enhanced subscriber identity protection
Provide end-to-end authentication, integrity and
confidentiality protection via signatures and encryption
Common Tools
© Destination Certification Inc.
Video #190
167
Video #69
Virtual Local Area Network (VLAN)
Software-Defined Networks
•
•
•
Video #234
Centralize network intelligence
Programmatic network configuration
Multiple segregated overlapping IP ranges
SDN architecture
168
© Destination Certification Inc.
Third-party connectivity
• Inventory of third-party vendor connections
• Analyze firewall rules for inbound connections
• Run vulnerability scans to look for services that are listening for
inbound connections
• Enterprise password security policies must apply to vendors
• Create & enforce security standards specific to vendors
• Monitor for any security gaps and then mitigate them
Wide Area Networks (WAN)
Connects LANs through technologies such as:
• Dedicated leased lines
• Dial-up phone lines
• Satellite and other wireless links
• Data packet carrier services
Video #102
Wide Area Network (WAN) Technology
© Destination Certification Inc.
Video #196
169
Video #274
Monitoring and management
Practices, tools, and processes aimed at ensuring the availability,
performance, security and reliability of computer networks, systems,
and services
Performance Monitoring, Security Monitoring, Configuration
Management, Log Management, Alerting and Notification, Reporting
and Analytics, etc.
170
© Destination Certification Inc.
4.2
Secure network components
Defense in Depth
Video #275
Partitioning
Network Perimeter
Edge networks
Networks that are situated at the edge of a centralized network, closer
to the end-users. Designed to deliver content and services with reduced
latency and increased performance by being geographically closer to the
user
Logical segmentation
Creating distinct logical or virtual segments within a larger physical
network
Allows a single physical network to be partitioned into
multiple smaller logical networks
Create a private network across public network
infrastructure. Used to connect remote users or
separate branches of a business to the main office's
network
Allows multiple instances of a routing table to coexist
within the same router at the same time.
Ability to create multiple separate security domains
within a single physical device (e.g. Firewall). Allows
multiple virtual firewall instances within a single device
© Destination Certification Inc.
171
Micro-segmentation
Enhances security by minimizing the lateral movement of attackers
within a network, effectively creating a segmented, compartmentalized
architecture where each segment can have its own security policies and
controls down to the workload level
IDS / IPS
Deployed strategically within the network to monitor
and protect individual workloads or network segments
rather than just at the perimeter
Zero Trust
Each micro-segment is treated as its own secure zone.
Access to each zone is given only after the identity and
context of the request have been thoroughly verified
Network Segmentation
Bastion Host
172
© Destination Certification Inc.
Network Segment / Subdomain Isolation
Proxy
Video #76
NAT & PAT
Private Addresses
RFC 1918 lists three segments of private addresses that are not to be
used on the Internet, so they can be used safely behind a NAT
environment:
• 10.0.0.0 - 10.255.255.255
• 172.16.0.0 - 172.31.255.255
• 192.168.0.0 - 192.168.255.255
© Destination Certification Inc.
173
Video #17
What is a firewall?
A firewall is a concept. It could be as simple as a router.
Firewall Technologies
•
Packet
filtering
firewalls
•
•
•
Stateful
Packet
Filtering
Firewall
Circuit-Level
Proxy
Firewalls
ApplicationLevel Proxy
Firewalls
Packet
Filtering
174
•
•
•
•
•
•
•
•
A method or device for limiting network traffic
between two networks by enforcing security
rules.
Examines packet headers to either block or pass
packets.
Uses Access Control Lists (ACLs) that allow it to
accept or deny access.
Transmitted data packets or frames are captured
and analyzed at all communication layers
State and context data are stored and updated
dynamically
Provides information for tracking connectionless
protocols; e.g., Remote Procedure Call (RPC) and
UDP-based applications
Create a circuit between client and server
without requiring knowledge about the service
Have no application specific controls
An example is a SOCKS server
Perform the highest level of security because it
allows the greatest level of control
A different proxy is needed for each service
Can be a performance bottleneck
Stateful Packet
Filtering
Circuit
Proxy
Application
Proxy
© Destination Certification Inc.
Standard Firewall Architectures
© Destination Certification Inc.
Video #115
175
176
© Destination Certification Inc.
Data inspection
Monitoring & examining transmitted data and taking appropriate action
if not allowed by security rules
Video #5
Data Inspection Applications
Virus
scanning
Files are scanned against known signatures for
malware
Stateful
inspection
Dynamic State / context table is maintained to track
and analyze communications between systems
Content
inspection
Content of mobile code is scanned and inspected for
compliance with specific security rules
IDS & IPS
Network based vs. Host based
Video #31
© Destination Certification Inc.
177
IDS/IPS Network Architecture
Mirror / Span / Promiscuous Port
Specific port set on a network device (e.g. switch) to which all traffic
transiting that device will be replicated for monitoring purposes
178
© Destination Certification Inc.
IDS/IPS Detection Methods
Video #127
Ingress & egress monitoring
Whitelisting & Blacklisting
© Destination Certification Inc.
179
Video #48
Sandbox
False Positives & False Negatives
True
False
Positive
Negative
Honeypots / Honeynets
Enticement & Entrapment
180
© Destination Certification Inc.
4.3
Implement secure communication channels according to design
Remote Access
Connecting to corporate resources over an insecure network (Internet)
Video #32
Tunneling
Generic Routing Encapsulation (GRE)
Video #213
Split tunneling
Connection to internet
Encrypted Tunnel
Internet
User
Hotel
Network
User
Hotel
Network
Corporate
Network
Encrypted Tunnel
Internet
Corporate
Network
Connection to internet
© Destination Certification Inc.
181
Virtual Private Network (VPN)
Tunnelling & VPN Protocols
Protocol
Tunnel
Encrypt
OSI
Secure Shell
Socket Secure
Secure Sockets Layer
Transport Layer
Security
Internet Protocol
security
Generic Routing
Encapsulation
Layer 2 Tunneling
Protocol
Layer 2 Forwarding
Protocol
Point-to-Point
Tunneling Protocol
Video #116
IPSec
Security Association (SA)
SA is a simplex establishment of attributes at the start of communication
between entities
Attributes include:
• authentication algorithm
• encryption algorithm
• encryption keys
• mode (transport or tunnel)
• sequence number
• expiry of the SA
For tunneling + encryption between 2 entities,
4 SAs are required
182
© Destination Certification Inc.
IPSec modes
OR
+
Tunnel mode Transport mode
OR
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Transport mode
Original Authentication
Header
Header
Transport mode
Original
Header
Data
ESP
Header
Data
ESP
Trailer
Encrypted
Tunnel mode
Tunnel mode
New
Header
Authentication Original
Header
Header
Data
New
Header
ESP
Header
Original
Header
Data
Encrypted
Internet Key Exchange (IKE)
© Destination Certification Inc.
183
ESP
Trailer
Video #63
SSL
Unencrypted SSL
Remote Authentication
Remote Access / Management Services
• SNMP
• RCP
• RSH
• Telnet
• rlogin
• X11
184
© Destination Certification Inc.
Domain 5
Identity and Access Management
(IAM)
5.1
Control physical and logical access to assets
Access control
Collection of mechanisms that work together to protect the assets of an
organization and at the same time, allow controlled access to authorized
subjects
Access controls enable management to:
• Specify which users can access the system
• Specify what resources they can access
• Specify what operations they can perform
• Provide individual accountability
Access control principles
Access control applicability
Access control includes all aspects and levels of an organization, in other
words assets including:
• Facilities
• Systems / Devices
• Information
• Personnel
Access control system
© Destination Certification Inc.
187
Video #22
Logical access modes
Access control is more granular than just allowing subject to access
objects
Administration approaches
188
© Destination Certification Inc.
5.2
Design identification and authentication strategy (e.g., people, devices, and services)
Video #109
Access control services
Video #277
Identification
• Uniquely asserts user/process identity
• Traces activities to individuals
User identification guidelines
Authentication types (factors)
Video #81
© Destination Certification Inc.
189
Authentication by Knowledge
Video #278
Password vault
Application designed to store and manage credentials
Typically, credentials are kept in an encrypted database and protected
by a master password
Authentication by Ownership
One-time Passwords
Dynamic: Changed after every use or at set interval
190
© Destination Certification Inc.
Smart / Memory cards
Form of Authentication by Ownership
Card holds user authentication information
Smart Card
Credit card sized plastic card
Embedded semiconductor chip that accepts, stores, and sends
information
Works in collaboration with a reader
Authentication by characteristics (biometric types)
Video #11
Biometric device considerations
• Processing Speed
• User Acceptance
• Protection of Biometric Data
Biometric device accuracy / Types of errors
Cross Over Error Rate (CER)
© Destination Certification Inc.
191
Biometric Devices
Video #184
Templates
1: N
1: 1
192
© Destination Certification Inc.
Factors of authentication
Single-factor authentication
Video #38
Multi-factor authentication
Password-less authentication
Method of verifying a user’s identity without requiring them to enter a
password
Relies on alternative forms of verification, such as biometrics, security
tokens, or a mobile device
Video #279
Advantages of password-less authentication
Challenges of password-less authentication
Single sign-on
Video #70
Pros
•
•
•
•
User experience
User’s may create stronger
passwords
Timeout & attempt
thresholds enforced
Centralized administration
Cons
•
•
© Destination Certification Inc.
Single point of failure for
compromise & availability
Inclusion of unique / legacy
systems
193
Kerberos
Provides:
• Accounting
• Authentication
• Auditing
Typical Kerberos issues
SESAME
The Secure European System for Applications in a Multi-Vendor
Environment (SESAME)
194
© Destination Certification Inc.
Authenticator Assurance Levels (AAL)
Measure the robustness of the authentication process
• Some assurance
• Single-factor authentication
• Secure Authentication protocol
• High confidence
• Multi-factor authentication
• Secure Authentication protocol
• Approved cryptographic techniques
• Very high confidence
• Multi-factor authentication
• Secure Authentication protocol
• “Hard” cryptographic authenticator providing proof of
possession of key & impersonation resistance
Session management
Video #55
Session hijacking
How do you prevent session hijacking?
Session termination
Registration and proofing of identity
© Destination Certification Inc.
Video #193
195
Video #93
Federated Identity Management (FIM)
Federated access standards
Authentication
Authorization
SAML
196
© Destination Certification Inc.
SAML components
Just-in-Time (JIT) Access
Access is granted only when needed, and for a set period of time, often
using automated methods that do not impeded productivity
Video #209
What is the Principle of Access Control?
Video #156
Accountability
If users have been
Appropriately
Appropriately
And their actions are
Then you can have
© Destination Certification Inc.
197
5.3
Federated identity with a third-party service
Video #167
Cloud-based authentication or identity management
Types of identities / accounts
Account Stored
Authentication by
IdaaS Capabilities
198
© Destination Certification Inc.
5.4
Implement and manage authorization mechanisms
Video #119
1. Discretionary Access Control (DAC)
Role-based Access
Control (RBAC)
Rule-based access
control
© Destination Certification Inc.
Attribute Based Access
Control (ABAC)
199
Role-Based Access Control (RBAC)
Video #175
Types of RBAC
Groups and Roles
Administrators can assign
When a user is assigned a role,
permissions to the group instead of
they are granted the permissions
individual users, making it easier to
associated with that role
manage large numbers of users
Function-centric, focusing on the
job function and the actions that
need to be performed
User-centric, focusing on the
collective identity of users
Rule-based access control
200
© Destination Certification Inc.
Attribute / Context based access control
Video #236
eXtensible Access Control Markup Language (XACML)
Standard which defines attribute-based access control policy language,
architecture, and processing model
2. Mandatory Access Control (MAC)
3. Non-Discretionary Access Control
© Destination Certification Inc.
201
Video #194
Access control summary
Discretionary
Access Control
(DAC)
Role-based
Access Control
(RBAC)
Rule-based
Access Control
Attribute
Based Access
Controls
(ABAC)
Mandatory
Access Control
(MAC)
Video #281
Access policy enforcement
Enforcing access control policies within an organization to regulate and
manage user access
Two key components: PDP & PEP
Policy
Decision
Point
(PDP)
Policy
Enforcement
Point
(PEP)
202
© Destination Certification Inc.
5.5
Manage the identity and access provisioning lifecycle
Video #23
Provisioning lifecycle
User access review
How often should access reviews be performed?
Which type of accounts should be reviewed most often?
Video #282
Service accounts
Accounts used by applications, services, or systems to interact with
other resources, services, or databases without human intervention
Service accounts management
Focus on ensuring accounts are secured, reducing the risk of
unauthorized access or misuse
© Destination Certification Inc.
203
5.6
Implement authentication systems
Security must be involved in assessing and implementation of
authentication systems (e.g. SAML, OpenID, OAuth, Kerberos, RADIUS,
TACACs+, etc
204
© Destination Certification Inc.
Domain 6
Security Assessment and Testing
6.1
Design and validate assessment, test, and audit strategies
Video #157
Purpose of Security Assessment and Testing?
Ensure that security requirements / controls are defined, tested, and
operating effectively
Security assessment & testing covers both the development of new
apps/systems and the ongoing operation
Validation & verification
Validation
Are we building the right product?
Develop a Level of confidence that software satisfies all stakeholder
requirements as documented
Verification
Are we building the product right?
Completeness: Use cases cover all functionality
Correctness: Each use case accurately represents a requirement
Consistency: Functionality is specified consistently in all areas
Effort to invest in testing?
Testing Strategies
All three strategies can be used in combination based on the type / level
of assurance sought
© Destination Certification Inc.
207
Role of Security Professional
Our role as Security Professionals is to identify risk and advise testing
processes to ensure risks are appropriately evaluated
Video #157
Location
Focuses on evaluating the security measures and
infrastructure within an organization's physical data
centers and facilities
Focuses on assessing the security of data and
applications hosted in cloud service providers
Assess the connectivity and security measures in place
between on-premise and cloud resources
(Access management integration, data flow security
controls, etc.)
208
© Destination Certification Inc.
6.2
Conduct security control testing
Examples of testing performed
Plan
Design
Video #168
Develop
Deploy
• Requirements • System design • Vulnerability
gathering &
• Architecture
• Acceptance
analysis
design
• System
• Module design • Integration
• Unit
• Vulnerability
• Log analysis
• Performance
• Usability
Operate
Retire
• Vulnerability • Integrity of
• Log analysis
transfer
• Config.
• Defensible
management
destruction of
data
When should security become involved in testing?
Software Testing Stages
© Destination Certification Inc.
209
Testing Techniques
Methods / Tools
Runtime
Access to Code
210
© Destination Certification Inc.
Types of fuzzing
Video #187
Application security testing
Static
Application
Security
Testing (SAST)
Testing method that analyzes source code
Dynamic
Application
Security
Testing (DAST)
Examines an application while it's running
© Destination Certification Inc.
211
Test types
Equivalence partitioning & boundary value analysis
0
212
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
© Destination Certification Inc.
More test types
Testing examples
Enter a number between 0 and 9
aaa' OR 1=1 -Enter a number between 0 and 9
E
Enter a number between 0 and 9
2
Enter a number between 0 and 9
-1
0
9
10
Enter a number between 0 and 9
-5
5
15
Decision table & state-based analysis
© Destination Certification Inc.
Video #217
213
Test coverage analysis
Video #169
Vulnerability analysis
Purpose of vulnerability assessment
Vulnerability Assessment vs. Penetration Test
214
© Destination Certification Inc.
Typical Process
Red, Blue and Purple Teams
© Destination Certification Inc.
Video #285
215
Video #158
Testing Techniques
Perspective
Approach
Knowledge
216
© Destination Certification Inc.
Automated vulnerability scanners
Scan networks, computers & applications for known vulnerabilities
Additional testing techniques
Automated Vulnerability scanners
Manual tools & techniques
Network devices
Systems: OS & Applications
Physical Security
Social Engineering
Banner grabbing & Fingerprinting
Using active or passive techniques to identify a system’s specific
operating system, applications & versions
Interpreting & understanding results
False positives & false negatives
© Destination Certification Inc.
217
Video #286
Security Content Automation Protocol (SCAP)
•
•
•
•
•
•
•
•
Asset Reporting Format (ARF)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Open Vulnerability and Assessment Language (OVAL)
Open Checklist Interactive Language (OCIL)
Trust Model for Security Automation Data (TMSAD)
The Extensible Configuration Checklist Description Format
(XCCDF)
Software Identification (SWID)
Breach attack simulation
Continuous, automated penetration testing and remediation
SCAP vs. Breach Attach Simulation
Suite of standards for automating
the process of assessing the
security of systems and
monitoring the security posture
of network devices and systems
BAS tools mimic the actions of
attackers to test the defenses of
the network continuously and
automatically.
Combines multiple open
Main goal is to provide real-world
standards to enumerate software
scenarios to test how well a
flaws and configurations, identify network can withstand attacks and
systems, assess the severity of
to help organizations improve their
security vulnerabilities, and
security measures based on the
measure the impact of
results
vulnerabilities
Compliance checks
Review and analyze controls to make sure they meet security
requirements
218
© Destination Certification Inc.
Log reviews / analysis
Video #170
Logging overview
• Generation
• Transmission
• Collection
• Normalization
• Analysis
• Retention
• Disposal
Log data generation
© Destination Certification Inc.
219
Limiting log sizes
Log event time
Operational Testing - Synthetic Transactions & RUM
Video #56
Regression testing
Reporting testing results
• Objective Pass / Fail Decisions
• Right detail for the right audience
• Metrics that matter
220
© Destination Certification Inc.
6.3
Collect security process data (e.g., technical and administrative)
Video #159
SMART Metrics
•
•
•
•
•
Specific - Result clearly stated and easy to understand?
Measurable - Result can be measured / have the data?
Actionable - Results can drive desired outcomes?
Relevant - Aligned to business strategy?
Timely - Results available when needed?
Key performance and risk indicators
•
•
Metrics that indicate the
achievement of
performance targets
Provide insights about risk
events that have already
affected the organization
•
•
Metrics that indicate the
level of exposure to
operational risk
Help to better monitor
potential future shifts in
risk conditions or new
emerging risks
How do you decide what to focus metrics on?
Example areas for metrics
• Account management
• Management review and approval
• Backup verification
• Training and awareness
• Disaster Recovery (DR) and Business Continuity (BC)
© Destination Certification Inc.
221
6.4
Analyze test output and generate report
Video #210
Error handling
Handling exceptions in automated testing & ensuring the test execution
flow is not interrupted
Remediation
• Address output of testing and assessments.
• Security will support and advise.
• Ultimate accountability rests with owners and management
Ethical disclosure
Testing should involve all relevant stakeholders and every finding of
testing should be released and disclosed to all interested parties
(even if it will delay implementation / increase costs)
222
© Destination Certification Inc.
6.5
Conduct or facilitate security audits
Audit & Assessment
Video #24
Audit approaches
Internal
External
Third-party
SAS70 > SSAE16 > SSAE18
ISAE 3402 / SSAE18 Third-party Audit reports
© Destination Certification Inc.
223
Audit Roles & Responsibilities
224
© Destination Certification Inc.
Domain 7
Security Operations
7.1
Understand and comply with investigations
Securing the scene
Need to conduct reliable investigations that will stand up to scrutiny and
cross-examination
Forensic Investigation Process
Identify
the scene
Protect
Identify
evidence
Collect
Minimize
Evidence collection and handling
Sources of information / evidence
Locard’s Exchange Principle
When a crime is committed, the perpetrators will
MOM
© Destination Certification Inc.
227
Video #135
Video #216
Types of evidence
Circumstantial Suggests a fact by implication or inference
Evidence
Can prove an intermediate fact
Corroborative
Evidence
Supports facts or elements of the case, not a fact on
its own, but supports other facts
Hearsay
Evidence
Statements made by witnesses who were not present.
No firsthand proof of accuracy or reliability.
228
© Destination Certification Inc.
Digital / Computer forensics
Scientific examination & analysis of data from storage media in such a
way that the information can be used as evidence in a court of law
Live evidence
Examining a live system changes the state of the evidence
Forensic Copies
Investigative Techniques
Why is it harder to do forensic analysis of mobile devices?
Chain of Custody
© Destination Certification Inc.
229
Video #160
Five Rules of Evidence
Digital forensics tools, tactics, and procedures
Running computers require immediate decisions
Tools:
•
•
•
•
•
Malware analysis
Log analysis
Social media account analysis
Traces
Mobile device analysis
Reporting and documentation
Prepare to present evidence to relevant stakeholders:
• Opposition
• Judge / Jury
• Regulators
• Investors
• Insurers
230
© Destination Certification Inc.
Types of investigations
© Destination Certification Inc.
Video #171
231
7.2
Conduct logging and monitoring activities
Video #147
Logging & monitoring
Security Information and Event Management (SIEM)
SIEM Capabilities
Example sources of event data
• Security appliances
• Network devices
• DLP
• Data activity
• Applications
• Operating systems
• Servers
• IPS/IDS
232
© Destination Certification Inc.
Continuous monitoring
© Destination Certification Inc.
233
7.3
Perform Configuration Management (CM)
Video #161
Asset Inventory
Asset Management
Configuration management
• Identify assets to keep under control
• Configure assets
• Document configuration
• Verify configuration
234
© Destination Certification Inc.
7.4
Apply foundational security operations concepts
Need to know / Least Privileges
Video #162
Need-to-know
Least Privileges
Restricting a user’s KNOWLEDGE
(access to data) to only the data
required for them to perform their
role
Restricting a user’s ACTIONS to
only those required for them to
perform their role
Separation of duties and responsibilities
Privileged account management
Job rotation
Service Level Agreements (SLA)
© Destination Certification Inc.
235
7.5
Apply resource protection
Video #136
Protecting media
Media
•
•
•
•
•
Paper
Microforms (microfilm & microfiche)
Magnetic (HD, disks & tapes)
Flash memory (SSD & memory cards)
Optical (CD & DVD)
Media management
• Confidentiality
• Access speeds
• Portability
• Durability
• Media format
• Data format
Hardware and software asset management
• Asset management lifecycle
• Inventories
• Patching
• Software licensing
• Secure configuration
236
© Destination Certification Inc.
7.6
Conduct incident management
Incident Management
Video #148
Goals of Incident Response
• Provide an effective & efficient response to reduce impact to the
organization
• Maintain or restore business continuity
• Defend against future attacks
Events and Incidents
Detection examples
• IPS/IDS
• DLP
• Anti-malware
• SIEM
• Administrative Review
• Motion Sensor
• Camera
• Guard
Examples of incidents
• Malware
• Hacker attack
• Terrorist attack
• Insider attack
• Employee error
• System error
• Data corruption
• Workplace injury
© Destination Certification Inc.
237
Incident Response
238
© Destination Certification Inc.
7.7
Operate and maintain detective and preventative measures
Video #12
Malware
Types of malware
© Destination Certification Inc.
239
Zero Day
Video #39
Anti-malware
Updating
Video #206
Machine Learning (ML) and Artificial Intelligence (AI) based tools
• Empower systems to use data to learn and improve without
being explicitly programmed
• Used mathematical models to analyze patterns which are then
used to make predictions
ML / AI security application
• Threat detection and classification
• Network risk scoring
• Automate routine security tasks and optimize human analysis
• Respond to cyber crime:
o Unauthorized access
o Evasive malware
o Spear phishing
240
© Destination Certification Inc.
7.8
Implement and support patch and vulnerability management
Patch management
Proactive process to create a consistently configured environment that is
secure against known vulnerabilities
Determining patch levels
Deploying patches
© Destination Certification Inc.
241
Video #163
7.9
Understand and participate in change management processes
Video #57
Change management
Ensures that costs & benefits of changes are analyzed and changes are
made in a controlled manner to reduce risks
Change Management Process
Change
request
Assess impact
Approval
Build & test
Notification
Implement
Validation
Version &
baseline
242
© Destination Certification Inc.
7.10 Implement recovery strategies
Failure modes
Video #189
Backup storage strategies
Video #83
Archive bit
Incremental vs. Differential
© Destination Certification Inc.
243
Backup strategy summary
Type
244
Data backed up
Backup
time
Restore
time
© Destination Certification Inc.
Storage
Backup storage strategies
Determine how and where data is stored for recovery in case of data
loss, corruption, or disaster
Video #310
3 – 2 – 1 Rule
• 3 copies of critical files
• 2 backups on different media
• 1 backup stored offsite
Spare parts
Video #322
© Destination Certification Inc.
245
Video #287
RAID
RAID 0 – Striping
Raid controller
Disk 0
Disk 1
RAID 1 – Mirroring
Raid controller
Disk 0
Disk 1
RAID 10 – Mirroring & Striping
RAID 5 – Parity Protection
Raid controller
Disk 0
246
Disk 1
Disk 2
© Destination Certification Inc.
RAID 6 – Double Parity Protection
RAID summary
RAID
Data
Redundancy
Read / Write
Performance
Min. #
of Drives
Cyclic Redundancy Check (CRC)
Clustering vs Redundancy
© Destination Certification Inc.
Video #287
247
Video #288
Recovery Site Strategies
Cold
Warm
Hot
Mobile
Redundant
People
Data
Multiple Processing Sites
Computer
Hardware
Basic
Equipment
Infrastructure
/ HVAC
Cost
Recovery
Geographically remote / geographic disparity
Multiple Processing Sites
248
© Destination Certification Inc.
Internal vs. External Recovery Sites
Reciprocal Agreements
Resource Capacity Agreements
Pre-arranged agreements with vendors to secure the necessary
resources needed after a disruptive event
Ensure an organization has access to resources at a recovery site
Disaster Recovery Solutions Summary
System resilience, high availability, Quality of Service (QoS), and fault
tolerance
•
•
•
•
•
Clustering
Redundancy
Replication
Spare parts
RAID
© Destination Certification Inc.
249
7.11 Implement Disaster Recovery (DR) processes
Video #34
A disaster is:
Focus of business continuity
BCM, BCP & DRP
BCM
BCP
DRP
Business Continuity Management
Business Impact Analysis
RTO
Business Continuity Planning
WRT
MTD
Test & Maintain
BIA
RPO
Disaster Recovery Planning
Video #323
BCP vs DRP
250
© Destination Certification Inc.
BCP / DRP Steps
1
A formal policy provides the authority and
guidance necessary to develop an effective
contingency plan
2
BIA helps identify and prioritize information
systems and components critical to supporting
the organization’s mission/business processes
3
Measures taken to reduce the effects of system
disruptions can increase system availability and
reduce contingency life cycle costs
4
Thorough recovery strategies ensure that the
system may be recovered quickly and effectively
following a disruption
5
Develop contingency plan(s)
6
Testing validates recovery capabilities
Training prepares recovery personnel for plan
activation
Exercising the plan identifies planning gaps
7
Plan should be a living document that is updated
regularly
Business Impact Analysis (BIA)
The BIA is a functional analysis that identifies the impacts should an
outage occur. Impact is measured by the following:
• Organizational Reputation
• Allowable Business Interruption – the Maximum Tolerable
Downtime
• Financial and Operational Considerations
• Regulatory Requirements
•
Video #50
Three primary goals of BIA
1.
2.
3.
© Destination Certification Inc.
251
The BIA Process
MTD, RTO, RPO, WRT
RPO
RTO
WRT
MTD
Values determined through the BIA (Business Impact Assessment)
process
252
Years < Months < Weeks
< Days < Hours < Minutes
Minutes > Hours > Days
> Weeks > Months > Years
RPO
RTO
© Destination Certification Inc.
External Dependencies
Video #292
Video #293
Declaring a Disaster
Response
Personnel
Communications
Restoration Order
How is the order determined for restoring systems?
© Destination Certification Inc.
253
Dependency charts
What systems / operations should be moved FIRST to DR site?
Once primary site is fixed, what systems / operations should be moved
back FIRST?
254
© Destination Certification Inc.
7.12 Test Disaster Recovery Plans (DRP)
Type
Description
Affects backup
/ parallel
systems
Video #58
Affects
production
systems
When should a full-interruption test be performed?
© Destination Certification Inc.
255
7.13 Participate in Business Continuity (BC) planning and exercises
Video #41
Goals of BCM
1.
2.
3.
Focus of BCM
256
© Destination Certification Inc.
7.14 Implement and manage physical security
We covered Physical Security in Domain 3
© Destination Certification Inc.
257
7.15 Address personnel safety and security concerns
Video #296
Personnel safety and security
258
© Destination Certification Inc.
Domain 8
Software Development Security
8.1
Understand and integrate security in the Software Development Life Cycle (SDLC)
Security’s involvement in development
Video #214
SDLC & SLC
© Destination Certification Inc.
261
Development & maintenance lifecycle
Requirements
Analysis
Functional
Design
Detailed
Design
Development /
Construction
Testing
Deployment /
Production
Maintenance
Define
Design
Develop
Deliver
Development methodologies
Waterfall vs. Agile
262
© Destination Certification Inc.
Agile Scrum Master
• Shields team from external interference
• Enforces scrum principles
• Facilitator & removes barriers
• Enables close cooperation
• Improves productivity
Integrated Product Team
Video #312
DevOps Security
Many traditional security techniques are too slow for rapid iteration of
DevOps: Pen tests, WAFs, analysis
Integrating security into DevOps:
• Plan for security
• Strong engagement between developers and security
• Engage developers
• Develop using secure techniques and frameworks
• Automate security testing
• Use traditional techniques sparingly
© Destination Certification Inc.
263
Combining Development Methodologies
Development methodologies summary
Waterfall
Linear approach - each phase must be completed fully
before the next begins. Can be inflexible
Agile
Focuses on iterative development and frequent
feedback loops - collaboration between small selforganizing, cross-functional teams
DevOps
Combines software development (Dev) and IT
operations (Ops) aiming to shorten the systems
development life cycle and provide continuous
delivery
SecDevOps
Extends the DevOps approach by integrating security
practices
Video #191
Canary Deployment / Testing
Video #297
Maturity models
Capability Maturity Model Integration (CMMI)
Video #313
Operation and maintenance
264
© Destination Certification Inc.
Change management (review)
Request for Changes
Service
Request
Incident
Management
SLA
Change Management
Requests
Security
Impact
Assessment
Approval
Build & Test
Notify
Configuration
Management
© Destination Certification Inc.
Implement
Validate
Version &
Baseline
Release
Management
265
8.2
Identify and apply security controls in development environments
Video #215
Programing Language Generations
Generation
Lowlevel
languag
es
Highlevel
languag
es
Type of language
Examples
1
Machine languages
Strings of numbers that CPU
can process
2
Assembly languages
Cryptic
3
Structured
languages
Pascal, C, Cobol, Fortran
4
Object oriented
languages
C++, Visual Basic
5
Natural language
Prolog
Integrated Development Environment (IDE)
Application that provides comprehensive facilities for
software development
• Code editor
• Compiler
• Debugger
• Automation of tasks
Programming Language Translators
Reads entire program
and then converts
low-level assembly
language into
machine language
Reads entire
program and then
converts high-level
language into
machine language
Converts high-level
language one line
at a time into
machine language
at runtime
Continuous Integration, Delivery & Deployment
266
© Destination Certification Inc.
SOAR (Security Orchestration, Automation, and Response)
Collection of software solutions and tools that streamline and automate
security operations in three key areas:
• threat and vulnerability management
• incident response
• security operations automation
Software Configuration Management (SCM)
• Process to systematically manage, organize, and control the
changes in the documents, codes, etc. during the SDLC
• Should be part of overall configuration management / change
management
• Goal is to increase productivity while minimizing mistakes
Secure Programming
Video #237
Polyinstantiation
Can be used to prevent unauthorized inference
Allows the same data to exist at different classification levels
© Destination Certification Inc.
267
Software / code obfuscation
Intentionally creating source code that is difficult for humans to
understand.
Makes it difficult to reverse engineer
Conceal the purpose of the code
Security of the Software Environments
268
© Destination Certification Inc.
Databases
Video #6
Components of DBMS
Database Management Systems (DBMS)
Relational Database
Databases: Attributes & Tuples
© Destination Certification Inc.
269
Databases: Primary & Foreign Keys
Database Terms
Tuple
Attribute
Field
Primary Key
Foreign Key
270
© Destination Certification Inc.
Concurrency & Locks
Locks & Concurrency Controls
A
C
I
D
Metadata
Video #197
© Destination Certification Inc.
271
8.3
Assess the effectiveness of software security
Video #49
Assess the Effectiveness of Software Security
• Risk analysis and mitigation
• Auditing and logging of changes
• Logging & monitoring
• Internal & external audit
• Procurement process
• Certification & accreditation
• Testing & verification
• Code signing
272
© Destination Certification Inc.
8.4
Assess security impact of acquired software
Video #33
Acquiring Software
Software Assurance Phases for Acquisition
• Planning / requirements
• Contracting
• Acceptance
• Monitoring & follow-on
Involve security function is assessing:
• Commercial off the shelf (COTS)
• Open Source
• Third-party
• Managed Services (e.g. SaaS)
© Destination Certification Inc.
Video #314
273
8.5
Define and apply secure coding guidelines and standards
Video #77
Security Weaknesses and Vulnerabilities at the Source-Code Level
Covert
channels
Buffer
overflows
Memory /
object reuse
Executable
mobile code
TOCTOU
Backdoors /
trapdoors
Malformed
input
Citizen
developers
274
© Destination Certification Inc.
Buffer Overflow
Buffer Overflow Prevention
• Parameter / bounds checking
• Address Space Layout Randomization (ASLR)
• Improve software development process
• Run-time checking of array & buffer bounds
• Use safe programming languages & library functions
© Destination Certification Inc.
275
APIs
Application Programming Interfaces (APIs)
Used to interact with web-based applications
Security of Application Programming Interfaces
• Authentication & authorization (access tokens / OAuth)
• Encryption (TLS)
• Data validation
• API gateways
• Quotas & throttling
• Testing & validation
Secure coding practices
• Input validation
• Authentication & password management
• Session management
• Cryptographic practices
• Error handling & logging
• System configuration
• File / database security
• Memory management
276
© Destination Certification Inc.
Exam Strategy