CISSP PROCESS GUIDEAfter passing the CISSP exam, and for the purpose of benefiting others with the knowledge and experienced I gained during my study term, I have summarized the main basic concepts in a general overview. Iam hoping this consolidation of core concepts and processes would benefit those interested in becoming members of the CISSP study group and the community. The intention of this document is to be supplementary, not a replacement for officially published study guides and books. I may have added multiple definitions of the same process or procedure due to the varying definitions from different resources such as the Official CBK, Sybex, NIST publications, SANS papers, or the AIO Shon Harris books. If you encounter any conflicts, please refer to the latest Official CISSP CBK. Being a CISSP candidate you should fully understand CISSP concepts, methodologies and their implementations within the organization. Please do not try any short cut when it comes to reading books and gaining knowledge. This quick reference should be utilized as a fast recap of security concepts. It’s important that you read Official CISSP books first and then use these notes to get a recap of what you have read. I wish you good luck for the CISSP exam. Fadi Sodah (aka madunix) CISSP CISA CFR ICATE ‘Attps://www.linkedin.com/in/madunix/ CISSP is registered certification marks of (ISC), In Discalamer: Fadi Sodah is not affiliated with or endorsed by (1SC)2 Ifyou find this document useful, please consider making a donation to help defray the costs ofthe bandwidth and hosting services required to distribute it. Every litle bit helps. hitps://www studynotesandtheary.com/single-post/Donations CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Corporate Governance: Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly. + Auditing supply chains + Board and management structure and process + Corporate responsibility and compliance + Financial transparency and information disclosure + Ownership structure and exercise of control rights Governance, Risk and Compliance (GRC): The process of how an organization manages its information resources. This process usually includes all aspects of how decisions are made for that organization, such as policies, roles and procedures the organization uses to make those decisions. It is designed to ensure the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. Areas of focus for IT Governance: + Strategic alignment + Value delivery + Resource management + Risk management + Performance management Governance vs, Management; + Oversight vs. Implementation + Assigning authority vs, authorizing actions + Enacting policy vs. enforcing + Accountability vs, responsibility + Strategic planning vs. project planning + Resource allocation vs. resource utilization Note: Governance: (What do we need to accomplish). Governance typically focuses on the alignment of internal requirements, such as corporate policies, business objectives, and strategy. Management: (How) CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018The importance of following Infosec standards: Creating and using common, proven practices is an important part of a successful information security program, Not only do standards support proactive management and efficient risk mitigation, adopting and consistently following a standard can bring additional benefits to any organization. + TRUST & CONFIDENCE. When organizations obtain certifications that demonstrate compliance, they create a sense of trust and confidence among employees and third parties with whom they interact. + BETTER RESULTS. When you speak the same jargon, results are more productive, effective, and cohesive, E.g,, vendor assessments can be smoother and faster with a formal infosec program in place, + COMPETITIVE ADVANTAGE, Developing a formal infosec program and obtaining certification boosts client and stakeholder confidence in how infosec risks are managed and aligned with their own risk appetite. + CORPORATE RESPONSIBILITY, Holding an infosec certification can help organizations demonstrate due diligence and due care, which are mandatory requirements for company officers and essential for mitigating corporate negligence. Note: Information security standards offer best practices and share expert information. These standards allow organizations to adopt, tailor, and implementa valuable infosec program without having to hire full time experts, reinventing the wheel, and learning by trial and error, which is costly, time consuming and dangerous. Challenges of implementing and maintaining standards: + Time: Implementing and maintaining information security standards is not a one-time project. Rather, itis a process that requires dedicated, qualified personnel, support from senior leadership, and continuous monitoring and improvement, A successful effort will require buy-in from the entire organization. + Cost: Standards can be expensive to implement and just as costly to maintain, In the case of ISO 27001, for example, in addition to the time and effort necessary to meet the standard requirements, organizations must budget for annual audit fees, which can be substantial. + Buy-in: Senior leadership buy-in and program ownership at the C-level are critical elements for an organization to deploy an information security program effectively. The information security team must share metrics, report the effectiveness of the program, and demonstrate its value and strategic alignment with the organization's business objectives to maintain senior leadership support, + Change management: In general, everyone appreciates the value of securing information until it requires a change. Security teams implementing standards are challenged to strike a delicate balance between security and convenience + Continuous improvement: Standards have life cycles. When a standard is updated, itis the responsibility of all compliant organizations to be aware of the updates and implement them by specified dates, or as soon as possible if a time line is not mandated. In some cases, a standard might become obsolete, and a new standard must be researched and presented to senior leadership for approval for implementation. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group |2018 iMain security requirements and their subcomponents: + Network Security ++ Confidentiality «+ Integrity ++ Authenticity ++ Availability + Identity Management + Authentication: + Authorization ++ Accountability ** Revocation * Privacy ++ Data Privacy «* Anonymity ++ Pseudonimity ++ Unlinkability + Trust «+ Device Trust + Entity Trust ++ Data Trust + Resilience ++ Robustness against attacks ++ Resilience against failures cla: + Confidentiality Risk: The risk of privacy loss, Unauthorized disclosure. Control: Encryption, Authentication, Access Control. + Integrity Risk: Modified data by an unauthorized source Control: Access Control, Cryptography along with Hashing & Message Digests + Availability Risk: Unavailability of resources & information for authorized users Control: Backups, High Availability, Fault Tolerance, Co-location Notes: Some of the techniques to ensure CIA are as follows: + Process Isolation + Software Confinement + Bounds with limitations and restrictions + Least Privileges Policy CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018CIA-AP: + Confidentiality: The capability of limiting information access and disclosure to authorized clients only, + Integrity: The capability of preserving the structure and content of information resources. + Availability: The capability of guaranteeing continuous access to data and resources by authorized clients, + Authenticity: The capability of ensuring that clients or objects are genuine + Privacy: The capability of protecting all information pertaining to the personal sphere of users. Authorization approval procedure: + Formalized + Approval by the direct manager, data owner, security professional + Access permissions follow the principle of least privilege + Balance security with the need for access + Avoid allowing too much privilege — Conflicts of interest + Remove privilege when no longer needed Business Impact Assessment (BIA): Assystematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of exploitation, disaster, accident or emergency. Key Metrics to establish BIA: + SLO * RPO * MTD + RTO « WRT + MTBF * MTTR * MOR Business Impact Assessment: + Identify Priorities + Identify Risk + Likelihood Assessment + Impact Assessment + Resource prioritization Note: Risk can never be mitigated to zero (there is no such thing as “no risk” or “perfect security”) Business Impact Analysis: + Identify critical functions + Identify critical resources + Calculate MTD for resources + Identify threats + Calculate risks + Identify backup solutions CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Business Impact Analysis: + Select individuals to interview for data gathering + Create data-gathering techniques + Identify critical business functions + Identify resources these functions depend upon + Calculate how long these functions can survive without these resources + Identify vulnerabilities and threats + Calculate the risk for each different business function + Document findings and report them to management Business Continuity Planning (BCP): + Project Initiation + Business Impact Analysis * Recovery Strategy + Plan design and development + Implementation + Testing + Continual Maintenance BCP (NIST 800-34): + Develop planning policy; BIA + Identify preventive controls + Create contingency strategies + Develop contingency plans * Test. + Maintenance WHY - Business Continuity Planning (BCP): + Provide an immediate and appropriate response to emergency situations + Protect lives and ensure safety + Reduce business impact + Resume critical business functions + Work with outside vendors and partners during the recovery period + Reduce confusion during a crisis + Ensure survivability of the business + Get “up and running” quickly after a disaster DRP vs. BC + BCP - Corrective Control + DRP- Recovery Control + Both BCP and DRP - fall under the category of Compensating Control + BCP is nota preventive control as it can NOT prevent a disaster + BCP - helps in the continuity of organization function in the event of a disaster + BCP - maintaining critical functions during a disruption of normal operations + DRP- recovering to normal operations after a disruption CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Business Continuity Planning (BCP): + Continuity Policy + Business Impact Assessment (BIA) + Identify Preventive Controls + Develop Recovery Strategies + Develop BCP + Exercise/Drill/Test + Maintain BCP DR Team: + Rescue Team: Responsible for dealing with the immediacy of the disaster -employee evacuation, crashing the server room, etc. + Recovery Team: Responsible for getting the alternate facility up and running and restoring the most critical services first. + Salvage Team: Responsible for the return of operations to the original or permanent facility (reconstitution) ~ (get us back to the stage of normalcy) Business Continuity Planning (BCP) Documents: + Continuity of planning goals + Statement of importance and statement of priorities + Statement of Organizational responsibilities + Statement of Urgency and Timing + Risk assessment, Risk Acceptance, and Risk mitigation document + Vital Records Program + Emergency Response Guidelines + Documentation for maintaining and testing the plan DRP/BCP document plan should be: + Created for an enterprise with individual functional managers responsible for plans specific to their departments + Copies of the plan should be kept in multiple locations + Both Electronic and paper copies should be kept + The plan should be distributed to those with a need to know + Most employers will only see a small portion of the plan CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Business Continuity Planning (BCP): + Project scope and planning + Business Organization Analysis + BCP team selection + Resource Requirements + Legal and regulatory requirements + Business impact assessment + Identify priorities + Risk Identification + Likelihood Assessment + Impact Assessment + Resource Prioritization + Continuity planning + Strategy Development + Provisions and Processes + Plan Approval + Plan Implementation « Training and Education + Approval and implementation + Approval by senior management (APPROVAL) + Creating an awareness of the plan enterprise-wide (AWARENESS) + Maintenance of the plan, including updating when needed (MAINTENANCE) + Implementation Development of Disaster Recovery Plan (DRP): + Plan Scope and Objectives + Business Recovery Organization (BRO) and Responsibilities (Recovery Team) + Major Plan Components - format and structure + Scenario to Execute Plan + Escalation, Notification and Plan Activation + Vital Records and Off-Site Storage Program + Personnel Control Program + Data Loss Limitations + Plan Administration Disaster Recovery Plan (DRP) procedures: + Respond to disaster in accordance with a pre-defined disaster level + Assess damage and estimate time required to resume operations + Perform salvage and repair CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Elements of Recovery Strategies: + Business recovery strategy Focus on the recovery of business operations + Facility & supply recovery strategy ++ Focus on facility restoration and enable alternate recovery site(s) + User recovery strategy ++ Focus on people and accommodations + Technical recovery strategy Focus on the recovery of IT services + Data recovery strategy Focus on the recovery of information assets The eight R's of a successful Recovery Plan: + Reason for planning + Recognition + Reaction + Recovery + Restoration + Return to Normal + Rest and Relax + Re-evaluate and Re-document Disaster Recovery Program: * Critical Application Assessment + Backup Procedures + Recovery Procedures + Implementation Procedures + Test Procedures + Plan Maintenance Post-Incident Review: The purpose is how we get better; after a test or disaster has taken place: + Focus on how to improve + What should have happened? + What should happen next? + Not who’s fault it was; this is not productive Continuity Planning: Normally applies to the mission/business itself; Concerns the ability to continue critical functions and processes during and after an emergency event. Contingency Planning: Applies to information systems, and provides the steps needed to recover the operation of all or part of the designated information system at an existing or new location in an emergency. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Business Continuity BCP focuses on sustaining an organization's mission /business process during and after a disruption. It May be used for long-term recovery in conjunction with the COOP plan, allowing for additional functions to come online as resources or time allows. Occupant Emergency Plan (OEP): It outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of the personnel, the environment, or property. Cyber Incident Response Planning (CIRP): It's A type of plan that normally focuses on detection, response, and recovery to a computer security incident or event, It establishes procedures to address cyber-attacks against an organization's information system(s). Information System Contingency Plan (ISCP): It provides established procedures for the assessment and recovery ofa system following a system disruption, Provides key information needed for system recovery, including roles and responsibilities, inventory info, assessment procedures, detailed recovery procedures, and testing of a system. Continuity of Operations Plan (COOP): It focuses on restoring an organization's mission essential function of an alternate site and performing those functions for up to 30 days before returning to normal operations. Disaster Recovery Plan (DRP): Applies to major physical disruptions to service that deny access to the primary facility infrastructure for an extended period, An information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. Only addresses information system disruptions that require relocation. The risks to the organization found in: + Financial + Reputational + Regulatory Risk Analysis: + Analyzing the environment for risks + Creating a cost/benefit report for safeguards + Evaluating threat Elements of risk: + Threats * Assets + Mitigating factors CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Risk Analysis methodology: + CRAMM (CCTA Risk Analysis and Management Method) + FMEA (Failure modes and effect analysis methodology) + FRAP (Facilitated Risk Analysis Process) + OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) PUSH + Spanning Tree Analysis + SOMAP (Security Officers Management and Analysis Project) + VAR (Value at risk) RMF CSIAAM: (NIST 800-37) ‘The risk management framework (RMF) encompasses a broad range of activities to identify, control, and mitigate risks to an information system during the system development life cycle. One of the activities is the development of an ISCP. Implementing the risk management framework can prevent or reduce the likelihood of the threats and limit the consequences of risks. RMF include: + Categorize the information system and the data + Select an initial set of baseline security controls + Implement the security controls and describe how the controls are employed + Assess the security controls + Authorize systems to be launched + Monitor the security controls Risk Management Process: (FARM) + Framing risk + Assessing risk + Responding to risk + Monitoring risk Risk management Policy Document: + Objectives of the policy and rationale for managing risk + Scope and charter of information risk management + Links between the risk management policy and the organizations strategic and corporate business plans-Extent and range of issues to which the policy applies + Guidance on what is considered acceptable risk levels + Risk management responsibilities + Support expertise available to assist those responsible for managing risk + Level of documentation required for various risk-management related activities, e.g., change management + Aplan for reviewing compliance with the risk management policy + Incident and event severity levels + Risk reporting and escalation procedures, format and frequency Risk Management Life Cycle: + Continuously monitoring + Evaluating + Assessing and reporting risk. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Risk management: + Risk Assessment — Identify Assets, Threats Vulnerabiliti +Risk Analysis — Value of Potential Risk + Risk Mitigation — Responding to Risk + Risk Monitoring — Risk is forever Risk management entails evaluating: + Threats + Vulnerabilities + Countermeasures Methodologies of Risk Assessment: + Prepare for the assessment. + Conduct the assessment: ++ Identify threat sources and events. ++ Identify vulnerabilities and predisposing conditions. ++ Determine the likelihood of occurrence. ++ Determine the magnitude of impact. ++ Determine risk. + Communicate results + Maintain assessment. Preparing Risk Assessment: + Purpose of the assessment + The scope of the assessment + Assumptions and constraints associated with the assessment + Sources of information to be used as inputs to the assessment + Risk model and analytic approaches Risk Assessment (NIST 800-30): + System / Asst. Characterization + Threat Identification + Vulnerability Identification + Control Analysis + Likelihood Determination + Impact Analysis + Risk Determination + Control Recommendations + Results Documentation Damage assessment: + Determining the cause of the disaster is the first step of the damage assessment + How long it will take to bring critical functions back online + Identifying the resources that must be replaced immediately + Declare a disaster CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Damage assessment: Determine the cause of the disaster. Determine the potential for further damage. Identify the affected business functions and areas. Identify the level of functionality for the critical resources. Identify the resources that must be replaced immediately, Estimate how long it will take to bring critical functions back online. If it will take longer than the previously estimated MTD values to restore operations, then a disaster should be declared and BCP should be put into action, Note: The first activity in every recovery plan is damage assessment, immediately followed by damage mitigation + The final step in a damage assessment is to declare a disaster. + The decision to activate a disaster recovery plan is made after damage assessment and evaluation is completed Configuration Management: + Plan + Approve Baseline + Implement + Control Changes + Monitor * Report + Repeatable Configuration Management: + Configuration Identification + Configuration Control + Configuration Status Accounting + Configuration Audit Change Management: + Request for a change to take place + Approval of the change + Documentation of the change + Tested and presented + Implementation + Report change to management Change Management: * Request + Review + Approve + Schedule + Document CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Change Management: + Request + Evaluate * Test. + Rollback + Approve + Document + Determine Change Window + Implement + Verity + Close Data Contamination Controls: To ensure the integrity of data, there are two types of controls: input and output controls, Input controls consist of transaction counts, dollar counts, hash totals, error detection, error correction, resubmission, self-checking digits, control totals, and label processing. Output controls include the validity of transactions through reconciliation, physical-handling procedures, authorization controls, verification with expected results, and audit trails. Phases of DITSCAP and NIACAP accreditation: * Definition + Verification + Validation + Post Accreditation ‘The Systems Development Life Cycle: + Initiation (considers value, sensitivity, regulatory compliance, classification, etc. of application / data). + Define Functional Requirements (documents user and security needs). + Design Specifications (system architecture/software designed) + Development/Implementation/Testing (source code and test cases generated, quality reliability addressed). + Documentation/Program Controls (controls related to editing data, logging, version, control, integrity checks, etc.). + Certification/Accreditation (independently testing data/code ensuring requirement are met, data validation, bounds checking, sanitizing, management's authorization for implementation). + Production/Implementation (systems are live) SDLC: + Project initiation and planning + Functional requirements definition + System design specifications + Development and implementation + Documentation and common program controls + Testing and evaluation control, (certification and accreditation) + Transition to production (implementation) CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018SDLC: + Request/Gather information Security risk assessment Privacy risk assessment Risk-level acceptance Informational, functional, and behavioral requirements + Design ‘+ Attack surface analysis + Threat modeling + Develop + Automated CASE tools + Static analysis + Test/Validation Dynamic analysis + Fuzzing + Manual Testing Unit, integration, acceptance, and regression testing + Release/Maintenance ++ Final security review Note: Fuzz testing used to describe the use of known bad or randomized inputs to determine what unintended results may occur. SDLC 10 phases: (System Life Cycle) + Initiation- Identifying the need for a project + System Concept Development- Defining the project scope and boundaries + Planning- Creating the project management plan + Requirements Analysis- Defining user requirements + Design- Creating a Systems Design Document that describes how to deliver the project + Development- Converting the design into a functional system + Integration and Test- Verifying that the system meets the requirements + Implementation- Deploying the system into the production environment + Operations and Maintenance- Monitoring and managing the system in production + Disposition - Migrating the data to a new system and shutting the system down Note: The system life cycle (SLC) extends beyond the SDLC to include two: + Operations and maintenance support (post-installation). + Revisions and system replacement, ‘The Cloud Secure (SDLC) + Defining + Designing + Development + Testing + Secure Operations + Disposal CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Development Methodologi + Build and fix Lacks architecture design. Problems are fixed as they occur. Lacks a formal feedback cycle. Reactive instead of proactive. + Waterfall Linear sequential lifecycle, Each phase is completed before continuing. Lacks a formal way to make changes during a cycle, ‘The project is completed before collecting feedback and starting again. + V-shaped Based on the waterfall model. Each phase is complete before continuing Allows for verification and validation after each phase. Does not contain a risk analysis phase. + Prototyping Rapid prototyping uses a quick sample to test the current project. Evolutionary prototyping uses incremental improvements to design. Operational prototypes provide incremental improvements but are intended to be used in production, + Incremental Uses multiple cycles for development like multiple waterfalls. ‘The entire process can restart at any times a different phase, Easy to introduce new requirements, Delivers incremental updates to the software. * Spiral Continual approach to development. Performs risk analysis during development. Future information and requirements are guided into the risk analysis. Allows for testing early in development. + Rapid Application Development Uses rapid prototyping, Designed for quick development. Analysis and design are quickly demonstrated. ‘Testing and requirements are often revisited. + Agile Umbrella term for multiple methods. Highlights efficiency and iterative development, User status describe what a user does and why. Prototypes are filtered down to individual features. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Insecure code practices: + Comments in source code + Lack of error handling + Overly verbose error handling + Hard-coded credentials + Race conditions + Unauthorized use of functions/unprotected APIs + Hidden elements + Sensitive information in the DOM + Lack of code signing Systems Development Life Cycle: + Initiation: During the initiation phase, the need for a system is expressed and the purpose of the system is documented. + Development/Acquisition: During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. + Implementation /Assessment: After system acceptance testing, the system is installed or fielded. + Operation/Maintenance: During this phase, the system performs its work. The system is almost always modified by the addition of hardware and software and by numerous other events. + Disposal: Activities conducted during this phase ensure the orderly termination of the system, safeguarding vital system information, and migrating data processed by the system to a new system, or preserving it in accordance with applicable records management regulations and policies. Systems Development Life Cycle: + Conceptual definition + Functional requirements determination + Control specifications development + Design review + Code review walk-through + System test review + Maintenance and change management CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Security Considerations in SDLC: + Prepare a Security Plan + Initiation Survey & understand the policies, standards, and guidelines Identify information assets (tangible & intangible) Define information classification & the protection level (security categorization) Define rules of behavior & security Conduct preliminary risk assessment + Development/Acquisition Determine Security Requirements Conduct risk assessment Perform cost/benefit analysis Incorporate Security Requirements into Specifications Security planning (based on risks & CBA) Obtain the System and Related Security Acti Develop security test + Implementation Install/Turn on Controls Security Testing Perform Security Certification & Accreditation of the target system. + Operation/Maintenance Security Operations and Administration Operational Assurance Audits and Continuous monitoring Configuration management & performs change control * Disposal Information transfer or destruction Media Sanitization Dispose of hardware CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Forensic ‘The forensic investigation process must demonstrate that information handling procedures and actions performed did not alter the original data throughout the custody chain, This may include: + Recording the name and contact information of those charged with maintaining a chain of custody + Details of the timing of the event + Purpose of moving the data + Identification of evidence through recording of serial numbers and other details + Sealing the evidence with evidence tape + Documenting the location of storage + Documenting the movement of the information Concepts unique to the forensic analysis: + Authorization to collect information + Legal defensibility + Confidentiality + Evidence preservation and evidence security + Law enforcement involvement Forensic Process: + Identification + Preservation + Collection + Examination + Analysis + Presentation + Decision Generic Computer Forensic Investigat + Pre-process + Acquisition and preservation + Analysis + Presentation + Post-process E-discovery Process: + Information Governance + Identification + Preservation + Collection + Processing + Review + Analysis + Production + Presentation CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018CSIRT: Organizations will often form a cybersecurity incident response team (CSIRT) to help identify and manage information security incidents. The individuals that make up the CSIRT are trained in proper collection and preservation techniques for investigating security incidents, National Institute of Standards and Technology Special Publication (NIST SP) 800-61r2 identifies the following models for organizing such a team. + Central team One team handles incidents on behalf of the entire organization, + Distributed team For larger or geographically dispersed organizations, it may be more appropriate to have individual CSIRTs for different segments of the organization or different geographic locations. + Coordinating team An overarching central team can be added to provide guidance and coordination among distributed teams. CSIRT Tools: The CSIRT has a number of tools they can use to help handle security incidents. Keeping the toolkit up-to-date will contribute to the CSIRT working optimally. The following table lists a few common examples. + The Sleuth Kit (TSK) / Cross-platform + EnCase / Windows + Forensic Toolkit (FTK) / Windows + Forensics Explorer / Windows + SANS Investigative Forensic Toolkit (SIFT) / Ubuntu (Linux) + Digital Forensics Framework (DFF) / Cross-platform + Computer Online Forensic Evidence Extractor (COFEE) / Windows + WindowsSCOPE / Windows + HashMyFiles / Windows + Volatility / Windows, Linux + TestDisk / Cross-platform + Wireshark / Cross-platform Data Classification Scheme: + Identify custodian + Specify evaluation criteria + Classify and label each resource + Document any exceptions + Select security controls + Specify the procedures for declassifying + Create enterprise awareness program Data Classification: + Scope (value, Age) + Classification Controls + Assurance + Marking and labeling CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Classify Information: + Specify the classification criteria + Classify the data + Specify the controls + Publicize awareness of the classification controls Classification program: + Define classification level + Identify owner + Determine security level + Develop a procedure to declassifying Data Classification Procedure: + Define classification levels. + Specify the criteria that will determine how data are classified. + Identify data owners who will be responsible for classifying data, + Identify data custodian who will be responsible maintaining data and sec. level. + Indicate the security controls, protection mechanisms, required for each class level. + Document any exceptions to the previous classification issues. + Indicate the methods that can be used to transfer custody of info to diff owner. + Create a procedure to periodically review the classification and ownership. + Communicate any changes to the data custodian, + Indicate procedures for declassifying the data, + Integrate these issues into the security-awareness program Data Collection Limitations: There are some regulations for the collection of personal data as per the privacy rule. Following are some regulations for protecting the personal data: + Data collection only for legal and fair means. + Data collection with the knowledge and approval of the subject. + Do not use personal data for other purposes, + Collection of personal data should be relevant for the purpose. + Collected data to be accurate and kept up to date. + Do not disclose personal data with other parties without the permission of the subject. + Secure personal data against intentional or unintentional access, use, disclosure, destruction, and modification, ‘The following are some of the important privacy-related practices and rules across the world that provide frameworks and limitations relating to personal data + General Data Protection Regulation (European Union) + Data Protection Directive (EU) + Data Protection Act 1998 (U.K) + Data Protection Act, 2012 (Ghana) + Data protection (privacy) laws in Russia + Personal Data Protection Act 2012 (Singapore) + Privacy Act (Canada) CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018‘The goal of Incident Handling and Response Planning: + Detects compromises as quickly and efficiently as possible, + Responds to incidents as quickly as possible. + Identifies the cause as effectively as possible. Purpose of incident response: + Restore normal service + Minimize impact on business + Ensure service quality and availability are maintained Incident Response: + Triage (assesses the severity of the incident and verify) + Investigation (contact law enforcement) + Containment (limit the damage) + Analysis + Tracking Incident Response: + Preparation + Detection ~- Identification + Response ~- Containment + Mitigation + Reporting ~- Report to Sr. Management + Recovery -- Change Management & Configuration, Management + Remediation - RCA & Patch M, & Implement controls + Lessons Learned -- Document and knowledge transfer Incident Response: + Preparation + Detection + Containment + Eradication + Recovery + Post Incident Review/Lesson learned Incident Handling Steps: NIST 800-61 + Preparation People + Identification Identify + Containment Containers + Eradication Ending + Recovery Real + Lessons Learned Lives CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Incident response process: PIC-ERL + Preparation + Identification Detection/analysis Collection + Containment + Eradication + Recovery + Post-incident ++ Lessons learned +++ Root cause analysis ++ Reporting and documentation Note: Gap analysis includes reviewing the organization's current position/performance as revealed by an audit against a given standard, Incident Response Proce: + Plan for and identify the incident. + Initiate incident handling protocols. + Record the incident, + Evaluate and analyze the incident. + Contain the effects of the incident. + Mitigate and eradicate the negative effects of the incident, + Escalate issues to the proper team member, if applicable. + Recover from the incident, + Review and report the details of the incident, + Draft lessons-learned report, CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Incident Response Plans Models ++ Compliance Driven + Designed to evaluate a response after the fact. + Reflects an approach from an audit and compliance (HIPAA, GLBA, PCI-DSS). + Security engineers and analysts do not refer to them during an incident, except possibly in retrospective reports. ++ Technical Driven + Elaborate playbooks that communicate techniques for data analysis and are often unwieldy and intentionally vague about accountability. + Developed by security or network engineers, but can be frustrating when evaluating a response to reports to the Board of Directors or executives. + Coordinated (Compliance Driven + Technically Driven) + Provides a framework for activities where they are more ambiguous: between teams and roles. The coordinated plan describes communication and authority so they are not in question during an incident, but also allows the expertise of a team to be applied without micromanagement by the plan, Incident Response Plans: Ausable IR plan is dynamic enough to address many incidents, but simple enough to be useful. Some characteristics of a plan are: + Brief During an incident, there is little time to read and understand large documents and find highlighted portions that may be relevant, + Clear Incidents are complex and often, are not well understood in the beginning. + Resilient Rigid and prescriptive incident response plans can fail when key participants are Incident investigation methodology: + Analysis and Imaging + Dead box forensics + Volatile data collection + Server handling + Endpoint imaging + Live system handling (Volatile data collection) + Write-block + Controlled forensic boot (Volatile data considerations) CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Vulnerability management: Inventory + Threat + Asses + Prioritize + Bypass + Deploy + Verity + Monitor Vulnerability Assessment: + Collect *Store + Organize + Analysis * Report Consideration of vulnerability scanning + Time to run a scan + Protocols used + Network topology + Bandwidth limitations + Query throttling + Fragile systems/non-traditional assets Information Security Continuous Monitoring: + Define + Establish + Implement + Analyze + Respond + Review + Update + Repeat Threat Modelli * Assessment scope + System Modeling + Identify Threat + Identify Vulnerability + Exam Threat history + Impact + Response CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Threat modeling: (STRIDE) + Spoofing: Attacker assumes the identity of the subject + Tampering: Data or messages are altered by an attacker + Repudiation: Illegitimate denial of an event + Information Disclosure: Information is obtained without authorization + Denial of Service: Attacker overload system to deny legitimate access + Elevation of Privilege: Attacker gains a privilege level above what is permitted Generic Threat Modelin; + Assessment Scope + System Modeling + Identify Threats + Identify Vulnerabilities + Examining the Threat History + Evaluation of Impact on the Business + Developing a Security Threat Response Plan Change control: + Implement changes in a monitored and orderly manner. + Changes are always controlled + Formalized testing + Reversed/rollback + Users are informed of changes before they occur to prevent loss of productivity, + The effects of changes are systematically analyzed, + The negative impact of changes in capabilities, functionality, performance + Changes are reviewed and approved by a CAB (change approval board). Problem Management: + Incident notification + Root cause analysis + Solution determination + Request for change + Implement solution + Monitor/report CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Vulnerability assessment and PT testing: + Scope + Information gathering + Vulnerability detection + Information analysis and planning + Penetration testing + Privilege escalation + Result analysis + Reporting + Cleanup Note: Vulnerability assessments should be done on a regular basis to identify new vulnerabilities. VA scanners usually don’t have more than a Reading privilege. Botnet + ABotnet is a number of different devices connected together and controlled as a group without the owners knowledge. + The botnet owner can control thebotnet using command an control (C&C) software. + The word “botnet” is a combination of the words “robot” and “network.” Information systems auditor: + Audits information security activities for compliance; Verifies adherence to security objectives, policies, procedures, standards, regulations, and related requirements. + Verifies whether information security activities are managed and operated to ensure achievements of state security objectives, + Provides independent feedback to senior management. Auditing uses: + Record review + Adequacy of controls + Compliance with policy + Detect malicious activity + Evidence of persecution + Problem reporting and analysis Audit: The systematic process by which a competent, independent person objectively obtains and evaluates the evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards, Audit: Evaluate security controls - Report on their effectiveness - Recommend improvements ‘Audit plan: + Define audit objectives + Define the audit scope + Conduct audit + Refine the audit process CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Audit Proce: + Determine goals + Involve right business unit leader + Determine Scope + Choose audit Team + Plan audits + Conduct audit + Document result + Communicate result Audit Report: + Purpose + Scope + Results discovered or revealed by the audit + Problems, events, and conditions + Standards, criteria, and baselines + Causes, reasons, impact, and effect, + Recommended solutions and safeguards + Malfunctioning controls + Inadequate controls + Failure to meet target standards/guidelines Capability Maturity Model (IRDMO): + Initial Stage - unpredictable, poorly controlled, and reactive + Repeatable Stage - characterized for projects, repeatable + Defined Stage - characterized by the entire organization and is proactive, + Managed Stage - quantitatively measured and controlled + Optimizing the Stage - continuous improvement. (Budget) Capability Maturity Model (IRDMO): + Level 1: Initial - The software development process is characterized as ad-hoc. Success depends on individual effort and heroics. + Level 2: Repeatable -Basic project management (PM) processes are established to track performance, cost, and schedule. + Level 3: Defined - Tailored software engineering and development processes are documented and used across the organization, + Level 4: Managed - Detailed measures of product and process improvement are quantitatively controlled, + Level 5: Optimizing - Continuous process improvement is institutionalized. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Information Systems Security Engineering (ISSE) Process: + Discover Information Protection Needs; ascertain the system purpose. Identify information asset needs protection, + Define System Security Requirements; Define requirements based on the protection needs. + Design System Security Architecture; Design system architecture to meet security requirements. + Develop Detailed Security Design; Based on security architecture, design security functions and features of the system. + Implement System Security; Implement designed security functions and features into the system, + Assess Security Effectiveness; Assess the effectiveness of ISSE activities Patch management: Inventory + Allocate Resources + Pursue updates * Test + Change Approval + Deployment plan + Rollback plan + Deploy and verify the updates with policy requirements + Document Patch management: + Patch Information Sources + Prioritization * Scheduling + Testing + Installation * Assessment + Audit * Consistency + Compliance Patch management: + Evaluate * Test + Approve + Deploy +Verity Required for accountability: + Identification * Authentication + Auditing CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Policy: + Organizational (or Master) Policy + System-specific Policy + Issue-specific Policy Software-Defined Everything (SDx) Extension of virtualization that abstracts an application or function from its underlying hardware, separating the control and data planes and adding programmability. Beginning with software- defined networking (SDN), SDx now encompasses software defined storage (SDS), software- defined computing, software-defined security, and software-defined data centers (SDDC), among others. Software-Defined networking (SDN): + Application + Control + Infrastructure Software-Defined networking (SDN): + Network administrators can adjust network traffic on the fly. + They provide you with the ability to better detect network traffic anomalies. + They add a higher level of complexity to the network that requires special skills. ogc Organization for Economic Cooperation and Development (OECD) suggests that privacy laws include: + Collection limitation principle + Data quality principle + Purpose specification principle + Use limitation principle + Security safeguards principle + The openness principle Social Engineering: It's important for any user to understand social engineering and their tactics. Additionally, by understanding the underlying principles, it becomes easier to avoid being tricked by them, The following sections introduce these principles. + Authority + Intimidation + Consensus’/ Social Proof + Scarcity + Urgency + Familiarity /Liking + Trust CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018API - formats: + Representational State Transfer (REST) - is a software architecture style, consisting of guidelines and best practices for creating scalable web services + Simple Object Access Protocol (SOAP) - is a protocol specification for exchanging structured information in the implementation of web services in computer networks Media control: + Accurately and promptly mark all data storage media + Ensure proper environmental storage of the media + Ensure the safe and clean handling of the media + Log data media to provide a physical inventory control Enterprise Security Architecture (ESA): + Presents a long-term, strategic view of the system + Unifies security controls + Leverages existing technology investments Third Party Contracts: = NDA/NDC + Regulatory Compliance + Incident notification + SLA/SLC Evaluate the Third party: + On-Site Assessment + Document Exchange and Review + Process/Policy Review Security Policy: + Define the scope + Identify all assets + Determine level of protection + Determine personal responsibility + Develop consequences for noncompliance Common Criteria CC: *PP - what the customer needs *ST = what Vendor provides +TOE - Theactual product + EAL - Rating which provides Evaluation and Assurance Note: The EAL is a measure of how thoroughly the security features the product vendor claims the product offers have been tested and reviewed, and by whom. ‘The EAL does not offer any true measure of how well those security features will work in a production environment, whether those features are preferable to other features offered by competing products, or whether the product is “good.” CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group |2018 ElEAL: FSM2S2F + EAL1 - Functionally tested (lowest rating) + EAL2 - Structurally tested + EAL3 - Methodically tested and checked + EAL4 - Methodically designed, tested and reviewed (medium rating) + EALS - Semi-formally designed and tested + EAL6 - Semi-formally verified, designed and tested + EAL7 - Formally verified, designed and tested (highest rating) Documentatior All documentation should be subject to an effective version control process as well as a standard approach to marking and handling; and conspicuously labeled with classification level, revision date and number, effective dates, and document owner. Cryptography: + Privacy + Authentication + Integrity + Non-repudiation Data archiving: * Format + Regulatory requirements + Testing RUM vs Synthetic + RUM harvests information from actual user activity, making it the most realistic depiction of user behavior. + Synthetic monitoring approximates user activity, but is not as exact as RUM Before selecting a Security Monitoring Tool type: + It should collect information from numerous sources. + It should be able to inter-operate with other systems, such as a help desk or change management program. + It should comply with all relevant laws and industry regulations. + It should offer scalable reporting so you get both a high-level and low-level perspective on your security Security information and event management (SIEM): + Correlation + Compliance + Alert CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Tasks may be performed automatically for you with tools such as SIEMs: + Filter out unnecessary or duplicate data + Combine sources + Synchronize events logged in different sources + Normalize data formats + Store data securely + Data Collection, Analysis, and Correlation SIEM on Cloud ...the benefits are + No capital expenditure + No need to invest on premise machines + No need to invest in technical support for hardware + No installation charges + Only fine tuning + Upgrades rolled out automatically by the cloud provider Software requirements: + Informational model + Functional model + Behavioral model Attacks Phas: + Gaining Access + Escalating Privileges + System Browsing + Install Additional Tools + Additional Discovery API Security: + Use same security controls for APIS as for any web application on the enterprise. + Use Hash-based Message Authentication Code (HMAC). + Use encryption when passing static keys. + Use a framework or an existing library to implement security solutions for APIs. + Implement password encryption instead of a single key-based authentication, Key Performance Indicator KPI based on: +BIA + Effort to implement + Reliability + Sensitivity Note: SLAs are often a subset of KPI CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Security Programs Metri + KPI looks backward at historical performance + KRI looks forward, show how much risk exists that may jeopardize the future security of the organization. Software Protection Mechanisms: + Security Kernels + Processor privilege states + Security controls for buffer overflow + Controls for incomplete parameter check and enforcement * Memory protection + Covert channel controls + Cryptography + Password protection techniques Software Acquisition: + Planning + Contracting + Monitoring + Acceptance + Follow on Endpoint Protection: + Built-in firewall functionality. + Intrusion detection system (IDS) /intrusion prevention system (IPS) functionality. + Data loss prevention (DLP) functionality. + Application whitelisting / blacklisting functionality, + Full disk encryption, + Management interfaces for configuration of each endpoint or groups of endpoints + A centralized in-house server for distributing malware signature updates. Note: A discovery tool is a primary component of a DLP solution. This might be employed for purposes of identifying and collecting pertinent data, Prevent SQL Injection (SQLi): + Perform Input Validation + Limit Account Privileges + Use Stored Procedures Ina SQL injection attack, an attacker could: + Harvest and crack password hashes + Delete and modify customer records + Read and write system files CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Injection attacks: SQL injection attack consists of insertion or "injection" of a SQL query via the input + HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page + Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application + Code injection allows the attacker to add his own code that is then executed by the application. Web App Threat The threat to Web Application are: + Cookie Poisoning + Insecure Storage + Information Leakage + Directory Traversal + Parameter/Form Tampering + DOS Attack + Buffer Overflow + Log tampering * SQL Injection + Cross-Site (XSS) + Cross-Site Request Forgery + Security Misconfiguration + Broken Session Management + DMZ attack + Session Hijacking + Network Access Attacks Wireless and RF Vulnerab + Evil Twin + Karma Attack + Downgrade attack + Dauth, Attack + Fragmentation Attack + Credential Harvesting + WPS Implementation Weakness + Bluejacking + Bluesnarfing + RFID Cloning + Jamming + Repeating CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Basic MALWARE Analysis: + Malware assessment + String analysis + Dependency analysis + Encountering files with wiped logical data + Sandbox analysis + Online malware scanner / sandbox Security of Lo; + Control the volume of data + Event filtering or clipping level determines the amount of log + Auditing tools can reduce log size + Establish procedures in advance + Train personnel in pertinent log review + Protect and ensure unauthorized access + Disable auditing or deleting/clearing logs + Protect the audit logs from unauthorized changes + Store/archive audit logs securely The four tiers are named as follows: + Tier I: Basic Data Center Site Infrastructure + Tier Il: Redundant Site Infrastructure Capacity Components + Tier Ill: Concurrently Maintainable Site Infrastructure + Tier IV: Fault-Tolerant Site Infrastructure Storage Area Network (SAN) security issues SANs are high-speed networks that combine a variety of storage technologies, including tapes, disk arrays, and optical drives to provide network-attached storage to appear as if itis local. These devices can usually support disk mirroring, sharing data between servers across networks, and backup/restore operations. + Storage Area Network access control Authentication / Authorization / Encryption / Availability + Fiber Channel Storage Area Network attacks Session hijacking / LUN masking attacks / Man In The Middle Attack (MITM) / name server pollution / WWN spoofing / zone hopping / switch attack + Internet Small Computer System Interface attacks Man-in-the-middle Attack / Internet Simple Name Server Domain Hopping / Authentication Attack. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018WLAN attacks: + Confidentiality Attacks + Traffic Analysis - Eavesdropping + Man-in-the-Middle Attack + Evil Twin AP + Access Control Attacks War Driving Rogue Access Point MAC addresses spoofing Unauthorized Access + Integrity Attacks Session Hijacking Replay Attack Frame Injection Attack + Availability Attacks Denial-of-Service Attack Radiofrequency (RF) Jamming Beacon Flood Associate/Authentication Flood De-authentication & Disassociation Queensland DoS / Virtual carrier-sense attack Fake SSID AP theft + Authentication Attack ++ Dictionary & Brute force attack Authentication and Authorization Protocols: + SAML: ++ Authentication and Authorization/Enterprise ++ Single sign-on for enterprise users + SPML: ++ Account Provisioning/Account Management, SPML paired with SAML. + XACML: ++ Control policies + OAuth: ++ Resource Access integrated with OpenID ++ API authorization between applications + OpenID: ++ Authentication and Authorization /Commercial/Mobile App ‘++ Single sign-on for consumers CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018OAuth Flow: + Ask for a request token + Get Temporary credentials + Exchange for an access token Basic TCB function: + Process activation + Execution domain switching * Memory protection +1/0 operation Memory Manager: + Relocation + Protection * Sharing + Logically Organization + Physical Organization Memory Protection: + DEP (Data Execution Prevention) + ASLR (Address Space Layout Randomization) + ACL (Access Control List) Memory Protection: + Segmentation + Paging + Protection keying The Life Cycle of any Process: + Plan and organize + Implement + Operate and maintain + Monitor and evaluate Fire extinguishers: + Class A- used for ordinary combustibles, paper, wood, cardboard, etc. + Class B - used for flammable liquids, gasoline, kerosene, oil, etc. + Class G- used in electrical equipment, appliances, wires, etc. + Class D - used for combustible metals, magnesium, titanium, potassium, ete, CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Attacks (Mitigation): + Eavesdropping (encryption) + Cyber-squatting (Secure your domain registration) + SPAM (email filtering) + Teardrop (patching) + Overlapping fragment (not allowing fragments to overwrite) + Source routing Attack (block source-routed packets) + SYN flood Attack (vendor support in securing network stack) + Spoofing (patching, firewalls, strong authentication mechanisms) + Session hijacking (encryption, regular re-authentication) Facility Attacks + Piggybacking + Fence jumping + Dumpster diving + Lockpicking + Lock bypass + Egress sensor + Badge cloning Data exfiltration: + Covert channels + File sharing services Man-in-the-middle: + ARP spoofing + ICMP redirect + DHCP spoofing + NBNS spoofing + Session hijacking + DNS poisoning Isolating CPU processes: + Encapsulation of objects + Time multiplexing of shared resources + Naming distinctions + Virtual memory mapping Security mechanism: + 1/0 operations + Process activation + Domain switching * Memory protection + Hardware management CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Capture Security Requirement: + Threat modeling + Data classification + Risk assessments Data removal: + Erasing - delete operation + Clearing - overwriting operation + Purging - more intensive form of clearing by repetition + Declassification - purge media to be suitable for use for the secure environment + Sanitization - a combination of a process that removes data from a system or media + Degaussing - use of a strong magnetic field + Destruction - crushing, Incineration, Shredding, disintegration Emergency-Response G es include: + Immediate response procedures + List of the individuals who should be notified of the incident + Secondary response procedures that first responders should take ISC2 - Code of Ethics: + Protect Society, Commonwealth Infrastructure + Act honorably, honestly, justly, responsibly and legally + Provide diligent, competent service to the Principles + Advance and protect the profession Background chec + Credit History + Criminal History + Driving Records + Drug and Substance Testing + Prior Employment + Education, Licensing, and Certification Verification * Social Security Number Verification and Validation + Suspected Terrorist Watch List Hacking Website: (Deface Websites) + SQL injection +XSS / CSRF + Remote file inclusion + Local file inclusion DDoS + Exploiting vulnerability + Directory traversal + Command injection CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Penetration Test: D En VER + Discovery - Obtain the footprint and information about the target. + Enumeration - Perform ports scans and resource identification. + Vulnerability mapping - Identify vulnerabilities in systems and resources. + Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities. + Report - Report the results to management with suggested countermeasures Main sections defined by the standard as the basis for penetration testing execution: + Pre-engagement Interactions + Intelligence Gathering + Threat Modeling + Vulnerability Analysis + Exploitation + Post Exploitation + Reporting Penetration Test: + Goal + Recognizance + Discovery + Exploitation + Brute-Force + Social Engineering + Taking Control + Pivoting + Evidence + Reporting + Remediation Penetration Testing: + External testing + Internal testing + Blind testing - Limited information on the PT team + Double-blind testing - No information to the internal security team + Targeted testing - Both internal and PT team aware. Penetration Testing: + Reconnaissance + Scanning + Gaining Access + Maintaining Access + Covering Tracks CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Penetration Testing: + Performing basic reconnaissance to determine system function + Network discovery scans to identify open ports + Network vulnerability scans to identify unpatched vulnerabilities + Web application vulnerability scans to identify web application flaws + Use of exploit tools to automatically attempt to defeat the system security + Manual probing and attack attempts Penetration Testing Techniques: + Wardriving/dialing + Eavesdropping + Network sniffing + Physical security testing + Social engineering Penetration Testing Rules of Engagement: + Identifies and fines the appropriate testing method(s) and techniques with exploitation of the relevant devices and/or services + While scope defines the start and the end of an engagement, the rules of engagement define everything in between Rules of engagement (ROE) + Introduction + Logistics += Communication Targets + Execution + Reporting + Signatures CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018There are a few elements that are common to most effective pen testing reports: + Preparation: Identify the objectives and purpose of the penetration test. Consider how best to address the audience you are writing to. Ensure that you can place all relevant events in the context of time. + Content: Detail the test methodology you used in your tests. Detail the results of each test, identifying specific assets and vulnerabilities that you id + Provide your analysis and interpretation of the results. + Suggest remediation techniques to employ. + Formatting: Format your report to comply with all of the applicable government regulations and with standards Write in clear, practical language. Avoid technical jargon. Format your report with groups and sections to enhance readability. Proofread your document before sending it out: ++ Ask another expert to provide a second opinion on the report before sending it out, Enumeration: + Extracting usernames using emails IDs, default passwords + Extracting usernames using SNMP + Extracting information using DNS zone transfer, Finger OS, and ports Firewall: + 1st generation: Packet filtering firewalls. + 2nd generation: application (proxy) firewalls + 3rd generation: state full packet firewalls + 4th generation: dynamic filtering + Sth generation: kernel proxy Firewall Logs: + Connections permitted or denied + IDS activity + Address translation audit trail + User activity + Cut-through-proxy activity + Bandwidth usage + Protocol usage CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Fire suppression: + Wet systems - constant water supply; + Dry systems - valve releases when stimulated by heat; + Pre-action systems - water held back until detectors activate; + Deluge systems - sprinkler heads in an open position; Threats to the DNS Infrastructure: + Footprinting + Denial-of-Service Attack + Data modification + Redirection * Spoofing Attacks against DNS servers: + Zone transfer: Information gathering shortcut + Zone poisoning: Breach primary server and alter the zone file to the corrupt domain + Cache poisoning: Send false answers to cache servers until they store them + Reflection DoS: Send bogus requests into a chain of servers that do recursive queries Reduce XSS: + Data validation + Data Sanitization + Cookies security + Output Escaping ‘The PCI Data Security Standard goals: + Build and Maintain a Secure Network + Protect Cardholder Data + Maintain a Vulnerability Management Program + Implement Strong Access Control Measures + Regularly Monitor and Test Networks + Maintain an Information Security Policy Note: PCI DSS allows for cardholder information at rest to be secured with either tokenization or encryption, but the use of one is mandatory. Outsourcing: + Ensuring that the organization has appropriate controls and processes in place to facilitate outsourcing. + Ensuring that there are appropriate information risk management clauses in the outsourcing contract. + Ensuring that a risk assessment is performed for the process to be outsourced. + Ensuring that an appropriate level of due diligence is performed prior to contract signature. + Managing the information risk for outsourced services on a day to day basis + Ensuring that material changes to the relationship are flagged and new risk assessments are performed as required. + Ensuring that proper processes are followed when relationships are ended. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Mobile devices are prime vectors for data loss; areas the professional should focus on: + Secure communications + Antimalware + Strong authentication + Passwords + Control 3rd party software + Separate secure mobile gateways + Lockdown, audits + Penetration tests + Mobile security policy Basic Types of Mobile Threats: + Denial of service Deny or degrade service to users. Jamming of wireless communications, overloading networks with bogus traffic, ransomware, theft of mobile devices or mobile services. + Geolocation Physical tracking of users. Passively or actively obtaining accurate three- dimensional coordinates of target, possibly including speed and direction. + Information disclosure Unauthorized access to information or services, Interception of data in transit, leakage or exfiltration of users, app, or enterprise data, tracking of user location, eavesdropping on voice or data communications, surreptitiously activating the phone's microphone or camera to spy on the user. + Spoofing Impersonating something or someone. Email or SMS message pretending to be from the boss or colleague (social engineering); a fraudulent Wi-Fi access point or cellular base station mimicking a legitimate one. + Tampering Modifying data, software, firmware, or hardware without authorization, Modifying data in transit, inserting tampered hardware or software into the supply chain, repackaging legitimate apps with malware, modifying network or device configuration (e.g, jailbreaking or rooting a phone). Regression and Acceptance Testing include: + Test fixed bugs promptly. + Watch for side effects of fixes. + Write a regression test for each bug fixed. + Iftwo or more tests are similar, determine which is less effective and get rid of it. + Identify tests that the program consistently passes and archive them. + Focus on functional issues, not those related to design. + Make changes (small and large) to data and find any resulting corruption. + Trace the effects of the changes on program memory. Data Retention policy in cloud: + Regulation + Data mapping + Data Classification + Procedures + Monitoring and maintenance CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Retention policies should address: * Storage + Retention + Destruction / Disposal 8 steps Data retention: + Evaluate Statutory Requirements, Litigation obligations, and business needs + Classify types of records + Determine retention periods and destruction policies + Draft and justify record retention policy + Train staff + Audit retention and destruction practices + Periodically review policy + Document policy, implementation, training, and audits System engineering management: + Decision Analysis + Technical Planning + Assessment Requirements + Configuration, Interface + Technical Data + Risk Management Cyber Kill Chain: + Reconnaissance + Weaponization +Delivery + Exploitation + Installation + Command and Control + Actions on Objectives CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018Cybersecurity Framework: + Identify - Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities, The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. + Protect - Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services, The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. + Detect - Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes + Respond - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements + Recover - Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due toa cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event, Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications. CISSP PROCESS GUIDE |V.19| made by madunix | SNT FB group|2018