Week 1 discussion -834 spring 2021
After this weeks readings and your own research, describe and discuss ways, if any, we can safely share security data.Are there precautions we can take, technical solutions we can use, e.g., like using the CIA triad, or should we just not share these kinds of data? Feel free to argue for and against, just make sure to back up your statements with scholarly support.
- Ask an interesting, thoughtful question pertaining to the topic
- Answer a question (in detail) posted by another student or the instructor
- Provide extensive additional information on the topic
- Explain, define, or analyze the topic in detail
- Share an applicable personal experience
- Provide an outside source (for example, an article from the UC Library) that applies to the topic, along with additional information about the topic or the source (please cite properly in APA 7)
- Make an argument concerning the topic.
At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources from the UC Library. Use proper citations and references in your post.
CISSP
Certified Information Systems
Security Professional
Copyright ©
2
0
1
8
by John Wiley & Sons, Inc., Indianapolis, Indiana.
Used with permission.
1
CISSP Focus
CISSP focuses on security:
Design
Architecture
Theory
Concept
Planning
Managing
2
Topical Domains
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
3
Exam Topic Outline
www.isc2.org/Certifications/CISSP
Download the CISSP Exam Outline
Previously known as the Candidate Information Bulletin
4
Prequalifications
For taking the CISSP exam:
5
years full-time paid work experience
Or, 4 years experience with a recent college degree
Or, 4 years experience with an approved security certification, such as CAP, CISM, CISA, Security+, CCNA Security, MCSA, MCSE, and GIAC
Or, Associate of (ISC)2 if you don’t yet have experience
Agree to (ISC)2 Code of Ethics
5
CISSP Exam Overview
CISSP-CAT (Computerized Adaptive Testing)
Minimum
10
0 questions
Maximum
15
0 questions
25 unscored items mixed in
3 hours to take the exam
No score issues, just pass or fail
Must achieve “passing standard” for each domain within the last
7
5 questions seen
6
Exam Retakes
Take the exam a maximum of 3 times per
12
-month period
Wait 30 days after your first attempt
Wait an additional
9
0 days after your second attempt
Wait an additional 180 days after your third attempt
You will need to pay full price for each additional exam attempt.
7
Question Types
Most questions are standard multiple choice with four answer options with a single correct answer
Some questions require to select two, select three, or select all that apply
Some questions may be based on a provided scenario or situation
Advanced innovative questions may require drag-and-drop, hot-spot, or re-order tasks
8
Exam Advice
Work promptly, don’t waste time, keep an eye on your remaining time
It is not possible to return to a question.
Try to reduce/eliminate answer options before guessing
Pay attention to question format and how many answers are needed
Use the provided dry-erase board for notes
9
Updates and Changes
As updates, changes, and errata are need for the book, they are posted online at:
www.wiley.com/go/cissp8e
Visit and write in the corrections to your book!
10
Exam Prep Recommendations
Read each chapter thoroughly
Research each practice question you get wrong
Complete the written labs
View the online flashcards
Use the 6 online bonus exams to test your knowledge across all of the domains
Consider using: (ISC)² CISSP Official Practice Tests, 2nd Edition (ISBN:978-1-
11
9-47592-7)
11
Completing Certification
Endorsement
A CISSP certified individual in good standing
Within 90 days of passing the exam
After CISSP, consider the post-CISSP Concentrations:
Information Systems Security Architecture Professional (ISSAP)
Information Systems Security Management Professional (ISSMP)
Information Systems Security Engineering Professional (ISSEP)
12
Book Organization 1/2
Security and Risk Management
Chapters 1-4
Asset Security
Chapter 5
Security Architecture and Engineering
Chapters 6-10
Communication and Network Security
Chapters 11-12
13
Book Organization 2/2
Identity and Access Management (IAM)
Chapters 13-
14
Security Assessment and Testing
Chapter 15
Security Operations
Chapters
16
-19
Software Development Security
Chapters 20-21
14
Study Guide Elements
Exam Essentials
Chapter Review Questions
Written Labs
Real-World Scenarios
Summaries
15
Additional Study Tools
www.wiley.com/go/cissptestprep
Electronic flashcards
Glossary in PDF
Bonus Practice Exams:
6x 150 question practice exams covering the full range of domain topics
16
Chapter 1
Security Governance Through Principles and Policies
Understand and Apply Concepts of
,
Integrity
, and
Availability
CIA Triad
AAA Services
Protection Mechanisms
overview
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Integrity 1/3
Preventing unauthorized subjects from making modifications
Preventing authorized subjects from making unauthorized modifications
Maintaining the internal and external consistency of objects
Integrity 2/3
Accuracy: Being correct and precise
Truthfulness: Being a true reflection of reality
Authenticity: Being authentic or genuine
Validity: Being factually or logically sound
Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Integrity 3/3
Accountability: Being responsible or obligated for actions and results
Responsibility: Being in charge or having control over something or someone
Completeness: Having all needed and necessary components or parts
Comprehensiveness: Being complete in scope; the full inclusion of all needed elements
Availability
Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject
Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response
AAA Services
Identification
Authentication
Authorization
Auditing
Accounting/
Accountability
Protection Mechanisms
Layering/Defense in Depth
Abstraction
Data Hiding
Security through obscurity
Encryption
Evaluate and Apply Security Governance Principles
Alignment of Security Function
Security Management Plans
Organizational Processes
Change Control/Management
Data Classification
Organizational Roles and Responsibilities
Security Control Frameworks
Due Care and Due Diligence
overview
Alignment of Security Function
Alignment to Strategy, Goals, Mission, and Objectives
Security Policy
Based on business case
Top-Down Approach
Senior Management Approval
Security Management:
InfoSec team, CISO, CSP, ISO
Security Management Plans
Strategic
Tactical
Operational
Organizational Processes
Security governance
Acquisitions and divestitures risks:
Inappropriate information disclosure
Data loss
Downtime
Failure to achieve sufficient return on investment (ROI)
Change Control/
Management 1/2
Implement changes in a monitored and orderly manner. Changes are always controlled.
A formalized testing process is included to verify that a change produces expected results.
All changes can be reversed (also known as backout or rollback plans/procedures).
Users are informed of changes before they occur to prevent loss of productivity.
Change Control/
Management 2/2
The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.
The negative impact of changes on capabilities, functionality, and performance is minimized.
Changes are reviewed and approved by a change approval board (CAB).
Data Classification 1/2
Determines: effort, money, and resources
Government/military vs. commercial/private sector
Declassification
Data Classification 2/2
1. Identify the custodian, define responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external transfer.
7. Create an enterprise-wide awareness program.
Organizational Roles and Responsibilities
Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
Security Control Frameworks
COBIT (see next slide)
Used to plan the IT security of an organization and as a guideline for auditors
Information Systems Audit and Control Association (ISACA)
Open Source Security Testing Methodology Manual (OSSTMM)
ISO/IEC 27001 and 27002
Information Technology Infrastructure Library (ITIL)
Control Objectives for Information and
Related Technologies (COBIT)
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
Due Care and Due Diligence
Due care is using reasonable care to protect the interests of an organization.
Due diligence is practicing the activities that maintain the due care effort.
Develop, Document, and Implement
Security Policy, Standards, Procedures, and Guidelines
Security Policies
Security Standards, Baselines, and Guidelines
Security Procedures
overview
Security Policies
Defines the scope of security needed by the organization
Organizational, issue-specific, system-specific
Regulatory, advisory, informative
Security Standards, Baselines, and Guidelines
Standards define compulsory requirements
Baselines define a minimum level of security
Guidelines offer recommendations on how standards and baselines are implemented
Security Procedures
Standard operating procedure (SOP)
A detailed, step-by-step how-to
To ensure the integrity of business processes
Understand and Apply Threat Modeling Concepts and Methodologies
Threat Modeling
Identifying Threats
Threat Categorization Schemes
Determining and Diagramming Potential Attacks
Performing Reduction Analysis
Prioritization and Response
overview
Threat Modeling
Microsoft’s Security Development Lifecycle (SDL)
“Secure by Design, Secure by Default, Secure in Deployment and Communication”
(also known as SD3+C)
Proactive vs. reactive approach
Identifying Threats
Focused on Assets
Focused on Attackers
Focused on Software
Threat Categorization Schemes
STRIDE
Process for Attack Simulation and Threat Analysis (PASTA)
Trike
Visual, Agile, and Simple Threat (VAST)
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
PASTA 1/2
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling and Simulation (AMS)
Stage VII: Risk Analysis and Management (RAM)
PASTA 2/2
Determining and Diagramming Potential Attacks
Diagram the infrastructure
Identify data flow
Identify privilege boundaries
Identify attacks for each diagrammed element
Diagramming to Reveal Threat Concerns
Performing Reduction Analysis
Decomposing
Trust boundaries
Data flow paths
Input points
Privileged operations
Details about security stance and approach
Prioritization and Response
Probability × Damage Potential ranking
High/medium/low rating
DREAD system
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
Apply Risk-Based Management
Concepts to the Supply Chain
Resilient integrated security
Cost of ownership
Outsourcing
Integrated security assessments
Monitoring and management
On-site assessment
Document exchange and review
Process/policy review
Third-party audit (AICPA SOC1 and SOC2)
Conclusion
Read the Exam Essentials
Review the Chapter
Perform the Written Labs
Answer the Review Questions