Cissp Process Guide v9

Download as pdf or txt
Download as pdf or txt
You are on page 1of 57
At a glance
Powered by AI
The document discusses concepts related to corporate governance, data classification, business impact analysis, and object-oriented programming.

The main topics covered include corporate governance, data classification procedures, business impact analysis, employment policies for security, and object-oriented programming concepts.

The main steps in a Business Impact Analysis discussed are identifying priorities, identifying risk, likelihood assessment, impact assessment, and resource prioritization.

CISSP

PROCESS GUIDE

Notice
This document is a supplementary, not replacement of official study books. I added multiple
definitions (due to multiple resources CBK, SYBEX and Shon Harris) of the same concept or
procedures to better understand the process; in case of conflict please refer to CBK.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 1
Corporate Governance:
Corporate governance is the set of responsibilities and practices exercised by the
board and executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risk is managed
appropriately and verifying that the enterprise's resources are used responsibly.
• Auditing supply chains
• Board and management structure and process
• Corporate responsibility and compliance
• Financial transparency and information disclosure
• Ownership structure and exercise of control rights

Classification program: DIDD


•Define classification level
•Identify owner
•Determine security level
•Develop procedure to declassifying

Forensic:
•Identification
•Preservation
•Collection
•Examination
•Analysis
•Presentation
•Decision

Employment Policies for Security:


Separation of duties, least privilege, mandatory vacations, job description /
sensitivity / responsibility, job rotation, collusion

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 2
Data Classification Procedures:
•Define classification levels.
•Specify the criteria that will determine how data are classified.
•Identify data owners who will be responsible for classifying data.
•Identify data custodian who will be responsible maintaining data and sec. level.
•Indicate the security controls, protection mechanisms, required for each class level.
•Document any exceptions to the previous classification issues.
•Indicate the methods that can be used to transfer custody of info to diff owner.
•Create a procedure to periodically review the classification and ownership.
•Communicate any changes to the data custodian.
•Indicate procedures for declassifying the data.
•Integrate these issues into security-awareness program

BIA:
•Identify Priorities
•Identify Risk
•Likelihood Assessment
•Impact Assessment
•Resource prioritization

BIA:
•Identify People for data gathering
•Identify data gathering techniques
•Identify function and resources on which these function depend
•Calculate MTD
•Identify threat, Vulnerability
•Calculate Risk
•Report to Management

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 3
BIA:
•Performing a risk analysis
•Identifying critical systems
•Determining criticality
•Researching resource requirements

BIA:
•Select individuals to interview for data gathering.
•Create data-gathering techniques
•Identify critical business functions.
•Identify resources these functions depend upon.
•Calculate how long these functions can survive without these resources.
•Identify vulnerabilities and threats
•Calculate the risk for each different business function.
•Document findings
•Report them to management

BCP:
•Project Initiation
•Business Impact Analysis
•Recovery Strategy
•Plan design and development
•Implementation
•Testing
•Continual Maintenance

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 4
BCP NIST 800-34
• Develop planning policy;
• BIA
• Identify preventive controls
• Create contingency strategies
• Develop contingency plan
• Test
• Maintenance

BCP:
•BCP is Corrective Control.
•DRP is recovery control.
•Both BCP and DRP falls under the category of Compensating control.
•BCP is NOT a preventive control as it cannot prevent from a disaster.
•BCP helps in continuity of organization function in the event of a disaster.

BCP helps:
•Provide an immediate and appropriate response to emergency situations
•Protect lives and ensure safety
•Reduce business impact
•Resume critical business functions
•Work with outside vendors and partners during the recovery period
•Reduce confusion during a crisis
•Ensure survivability of the business
•Get "up and running" quickly after a disaster

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 5
BCP:
•Continuity Policy
•BIA
•Identify Preventive Controls
•Develop Recovery Strategies
•Develop BCP
•Exercise/Drill/Test
•Maintain BCP

BCP Documentation:
•Continuity of planning goals
•Statement of importance and statement of priorities
•Statement of Organizational responsibilities
•Statement of Urgency and Timing
•Risk assessment, Risk Acceptance and Risk mitigation document
•Vital Records Program
•Emergency Response Guidelines
•Documentation for maintaining and testing the plan

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 6
BCP:
1) Project scope and planning
- Business Organization Analysis
- BCP team selection
- Resource Requirements
- Legal and regulatory requirements
2) Business impact assessment
- Identify priorities
- Risk Identification
- Likelihood Assessment
- Impact Assessment
- Resource Prioritization
3) Continuity planning cp
- Strategy Development
- Provisions and Processes
- Plan Approval
- Plan Implementation
- Training and Education
4) Approval and implementation
- Approval by senior management. (APPROVAL)
- Creating an awareness of the plan enterprise-wide. (AWARENESS)
- Maintenance of the plan, including updating when needed. (MAINTENANCE)
- Implementation

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 7
Risk Analysis:
•Analyzing environment for risks
•Creating a cost/benefit report for safeguards
•Evaluating threat

Damage assessment:
•Determining the cause
•How long it will take
•Identifying the resources
•Declare a disaster

Phases of DITSCAP and NIACAP accreditation:


•Definition
•Verification
•Validation
•Post Accreditation

Data contamination controls Input controls:


Transaction counts; dollar counts; hash totals; error detection; error correction;
resubmission; self-checking digits;; control totals and label processing

Software protection mechanisms:


Inadequate granularity of controls; control and separation of environments; time of
check/time of use; social engineering; backup controls; software forensics; mobile
code controls; programming language support

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 8
Configuration management: PB ICM RR
•Plan
•Baseline
•Implement
•Control
•Monitor Report
•Repeatable

Configuration Management: PAI CMRR


•Plan
•Approve Baseline
•Implement
•Control Changes
•Monitor
•Report
•Repeatable

Configuration management: (ICAA)


• Configuration Identification
• Configuration Control
• Configuration Status Accounting
• Configuration Audit

Change Management: RAD - TIR


• Request for a change to take place
• Approval of the change
• Documentation of the change
• Tested and presented
• Implementation
• Report change to management

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 9
Change Management: (RRASD)
• Request
• Review
• Approve
• Schedule
• Document

Change Management: (RET RAD DIVC)


•Request
•Evaluate
•Test
•Rollback
•Approve
•Document
•Determine Change Window
•Implement
•Verify
•Close

Life cycle of evidence:


•Collection and identification
•Storage, preservation, and transportation
•Presentation in court
•Return of the evidence

Private VLAN:
•Promiscuous: can talk to any node in the vlan
•Isolated: can only talk to promiscuous nodes
•Community: can talk to others in the community and any promiscuous node

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 10
SDLC: (Re Do Damn Test Right)
•Request/Gather information
Security risk assessment
Privacy risk assessment
Risk-level acceptance
Informational, functional, and behavioral requirements
•Design
Attack surface analysis + Threat modeling
•Develop
Automated CASE tools + Static analysis
•Test/Validation
Dynamic analysis + Fuzzing + Manual testing
Unit, integration, acceptance, and regression testing
•Release/Maintenance
Final security review

SDLC:
•Project initiation and planning
•Functional requirements definition
•System design specifications
•Development and implementation
•Documentation and common program controls
•Testing and evaluation control, (certification and accreditation)
•Transition to production (implementation)
The system life cycle (SLC) extends beyond the SDLC to include two:
•Operations and maintenance support (post-installation)
•Revisions and system replacement

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 11
SDLC 10x phases:
• Initiation- Identifying the need for a project
• System Concept Development- Defining the project scope and boundaries
• Planning- Creating the project management plan
• Requirements Analysis- Defining user requirements
• Design- Creating a Systems Design Document that describes how to deliver project
• Development- Converting the design into a functional system
• Integration and Test- Verifying that the system meets the requirements
• Implementation- Deploying the system into the production environment
• Operations and Maintenance- Monitoring and managing the system in production
• Disposition - Migrating the data to a new system and shutting the system down

System Development Life Cycle:


• Initiation. During the initiation phase, the need for a system is expressed and the
purpose of the system is documented.
• Development/Acquisition. During this phase, the system is designed, purchased,
programmed, developed, or otherwise constructed.
• Implementation/Assessment. After system acceptance testing, the system is
installed or fielded.
• Operation/Maintenance. During this phase, the system performs its work. The
system is almost always modified by the addition of hardware and software and by
numerous other events.
• Disposal. Activities conducted during this phase ensure the orderly termination of
the system, safeguarding vital system information, and migrating data processed by
the system to a new system, or preserving it in accordance with applicable records
management regulations and policies.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 12
SDLC: (IDIOT)
•Initiate
•Acquire/development
•Implement
•Operations/maintenance
•Disposal

SDLC (Security):
• Prepare a Security Plan
• Initiation
• Development/Acquisition
– Determine Security Requirements
– Incorporate Security Requirements into Specifications
– Obtain the System and Related Security Activities
• Implementation
– Install/Turn on Controls
– Security Testing
– Accreditation
• Operation/Maintenance
– Security Operations and Administration
– Operational Assurance
– Audits and Monitoring
• Disposal
– Information transfer or destruction
– Media Sanitization

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 13
RMF: CSIAAM NIST 800-37
•Categorize
•Select
•Implement
•Assess
•Authorize
•Monitor

Classify information:
• Specify the classification criteria.
• Classify the data.
• Specify the controls.
• Publicize awareness of the classification controls.

E-discovery: II PC PR APP
•Information
•Identification
•Preservation
•Collection
•Processing
•Review
•Analysis
•Production
•Presentation

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 14
Data classification scheme: (ISC DSSC)
•Identify custodian
•Specify evaluation criteria
•Classify and label each resource
•Document any exceptions
•Select security controls
•Specify the procedures for declassifying
•Create enterprise awareness program

System development life cycle:


•Conceptual definition
•Functional requirements determination
•Control specifications development
•Design review
•Code review walk-through
•System test review
•Maintenance and change management

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 15
Incident response:
• Preparation
• Detection and analysis
• Containment, eradication, and recovery
• Post incident activity

Incident response: (P DRM 3RL)


•Preparation
•Detection -- Identification
•Response -- Containment
•Mitigation –
•Reporting -- Report to Sr. Management
•Recovery -- Change M. & Configuration. M.
•Remediation -- RCA & Patch M. & Implement controls
•Lessons Learned -- Document and knowledge transfer

Incident response: (TIC AT)


•Triage (assesses the severity of the incident and verify)
•Investigation (contact law enforcement)
•Containment (limit the damage)
•Analysis
•Tracking

Incident response:
•Preparation
•Detection
•Containment
•Eradication
•Recovery
•Post Incident Review/Lesson learned

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 16
Incident Handling Steps: PIC ERL 800-61
•Preparation People
•Identification Identify
•Containment Containers
•Eradication Ending
•Recovery Real
•Lessons Learned Lives

Incident response: DRM 3RL


•Detection
•Response
•Mitigation
•Reporting
•Recovery
•Remediation
•Lesson learned

Purpose of incident response:


•Restore normal service
•Minimize impact on business
•Ensure service quality and availability are maintained

Vulnerability management:
•Inventory
•Threat
•Asses
•Prioritize
•Bypass
•Deploy
•Verify
•Monitor

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 17
Information Security Continuous Monitoring:
DEI AR2UR
•Define
•Establish
•Implement
•Analyze
•Respond
•Review
•Update
•Repeat

Threat modeling: STRIDE


•Spoofing: Attacker assumes identity of subject
•Tampering: Data or messages are altered by an attacker
•Repudiation: Illegitimate denial of an event
•Information Disclosure: Information is obtained without authorization Denial of
•Service: Attacker overloads system to deny legitimate access
•Elevation of Privilege: Attacker gains a privilege level above what is permitted

Threat Modelling:
•Assessment scope
•System Modelling
•Identify Threat
•Identify Vulnerability
•Exam Threat history
•Impact
•Response

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 18
Generic Threat Modeling: AS TV EID
•Assessment Scope
•System Modeling
•Identify Threats
•Identify Vulnerabilities
•Examining the Threat History
•Evaluation or Impact on the Business
•Developing a Security Threat Response Plan

Data Classification
•Scope (value, age)
•Classification Controls
•Assurance
•Marking and labeling

Change control:
•Implement changes in a monitored and orderly manner.
•Changes are always controlled
•Formalized testing
•Reversed/rollback
•Users are informed of changes before they occur to prevent loss of productivity.
•The effects of changes are systematically analyzed.
•The negative impact of changes on capabilities, functionality, performance
•Changes are reviewed and approved by a CAB (change approval board).

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 19
Data Retention policy in cloud:
•Regulation
•Data mapping
•Data Classification
•Procedures
•Monitoring and maintenance

Vulnerability assessment and PT testing:


•Scope
•Information gathering
•Vulnerability detection
•Information analysis and planning
•Penetration testing
•Privilege escalation
•Result analysis
•Reporting
•Cleanup

Problem Management: NRD RIR


•Incident notification
•Root cause analysis
•Solution determination
•Request for change
•Implement solution
•Monitor/report

Auditing uses:
Record review, Adequacy of ctls, compliance with policy, detect malicious activity,
evidence for persecution, problem reporting and analysis

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 20
Audit:
•Evaluate security controls
•Report on their effectiveness
•Recommend improvements

Audit plan:
•Define audit objectives
•Define audit scope
•Conduct audit
•Refine the audit process

Audit Process: DID CPC DC


• Determine goals
• Involve right business unit leader
• Determine Scope
• Choose audit Team
• Plan audit
• Conduct audit
• Document result
• Communicate result

Audit Report:
• Purpose
• Scope
• Results discovered or revealed by the audit
• Problems, events, and conditions
• Standards, criteria, and baselines
• Causes, reasons, impact, and effect
• Recommended solutions and safeguards

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 21
Capability Maturity Model - IRDMO:
•Initial Stage - unpredictable, poorly controlled, and reactive
•Repeatable Stage - characterized for projects, repeatable
•Defined Stage - characterized for the entire organization and is proactive.
•Managed Stage - quantitatively measured and controlled
•Optimizing Stage - continuous improvement. (Budget)

Equipment lifecycle:
•Defining requirements,
•Acquiring and implementing,
•Operations and maintenance,
•Disposal and decommission

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 22
Preparing Risk Assessment:
•Purpose of the assessment
•Scope of the assessment
•Assumptions and constraints associated with the assessment
•Sources of information to be used as inputs to the assessment
•Risk model and analytic approaches

Risk Assessment NIST 800-30 (STV CLI RRR)


•System / Asst. Characterization
•Threat Identification
•Vulnerability Identification
•Control Analysis
•Likelihood Determination
•Impact Analysis
•Risk Determination
•Control Recommendations
•Results Documentation

Patch management: IAP TCD RDV


•Inventory
•Allocate Resources
•Pursue updates
•Test
•Change Approval
•Deployment plan
•Rollback plan
•Deploy and verify updates with policy requirements
•Document

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 23
Patch management: PPS TI AACC
•Patch Information Sources
•Prioritization
•Scheduling
•Testing
•Installation
•Assessment
•Audit
•Consistency
•Compliance

Patch management: ETA DV


•Evaluate
•Test
•Approve
•Deploy
•Verify

CDN Benefits:
• On-demand scaling
• Cost efficiency
• Locality of Content
• Security Enhancement
• Filter out DDOS attacks

Elements of risk:
• Threats
• Assets
• Mitigating factors

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 24
IEEE:
• IEEE 802.1: Bridging & Management
• IEEE 802.11: Wireless LANs
• IEEE 802.15: Wireless PANs
• IEEE 802.16: Broadband Wireless MANs
• IEEE 802.20: Mobile Broadband Wireless Access

Downsides biometric:
•User acceptance
•Enrollment timeframe
•Throughput
•Accuracy over time

5xnecessary factors for an effective


biometrics access control system:
Accuracy, speed & throughput, data storage requirements, reliability & acceptability

Required for accountability:


•Identification
•Authentication
•Auditing

Social Engineering:
• Authority
• Intimidation
• Consensus
• Scarcity
• Urgency
• Familiarity

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 25
Data Life Cycle: CSU SAD
• Create. Creation is the generation of new digital
• Store. Storing is the act committing the digital data
• Use. Data is viewed, processed, or otherwise used
• Share. Information is made accessible to others,
• Archive. Data leaves active use and enters long-term storage
• Destroy. Data is permanently destroyed

API – formats:
•Representational State Transfer (REST) - is a software architecture style consisting
of guidelines and best practices for creating scalable web services.
•Simple Object Access Protocol (SOAP) - is a protocol specification for exchanging
structured information in the implementation of web services in computer
networks

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 26
NIST:
•NIST 800-12 NIST Handbook Intro to Computer Security
•NIST 800-13 Telecommunications Security Guidelines for Telcom MngmntNetwork
•NIST 800-14 Generally Accepted Principles and Practices for Securing Information
•NIST 800-34 contingency planning
•NIST 800-40 Creating a Patch and Vulnerability Management Program
•NIST 800-41 Guidelines on Firewalls and Firewall Policy
•NIST 800-44 Guidelines on Securing Public Web Servers
•NSIT 800-45 Guidelines on Electronic Mail Security
•NIST 800-47 Security Guide for Interconnecting IT Systems
•NIST 800-48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
•NIST 800-50 Building an IT Security Awareness and Training Program
•NIST 800-54 Border Gateway Protocol Security
•NIST 800-55 security metrics IS
•NIST 800-57 Recommendation for Key Management
•NIST 800-66 Health care privacy issues
•NIST 800-53 Recommended Security Control
•NIST 800-53A is titled “Assessing Security and Privacy Controls in Federal
•NIST 800-86 is the “Guide to Integrating Forensic Techniques into IR
•NIST 800-83 Guide to Malware Incident Prevention and Handling
•NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response
•NIST 800-100 IS Handbook
•NIST 800-119 Guidelines for Secure Deployment of IPv6

Risk Management Process: FARM


•Framing risk
•Accessing risk
•Responding to risk
•Monitoring risk

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 27
Confidentiality other concepts:
Sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, isolation

ISO:
•ISO 27000: ISMS-Overview and Vocabulary
•ISO 27001: ISMS-Requirement
•ISO 27002: Code of practice
•ISO 27003: ISMS implementation
•ISO 27004: Measurement and metrics framework
•ISO 27005: Risk management
•ISO 27006: certification body requirements
•ISO 27007: ISMS-Auditing
•ISO 27008: Information Security Control
•ISO 27011: ISMS- guideline telecom organization
•ISO 27014: Governance of information security
•ISO 27017: Use of cloud services
•ISO 27031: Communications technology readiness for business continuity
•ISO 27033-1: Guideline for network security
•ISO 27799: Directives on protecting personal health information
•ISO 31000: Risk Management Framework
•ISO 27034: Security applications

CODE REPOSITORY SECURITY:


• System security
• Operational security
• Software security
• Secure communications
• File system and backups
• Employee access
• Maintaining security
• Credit card safety

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 28
Policy:
•Organizational (or Master) Policy
•System-specific Policy
•Issue-specific Policy

Software defined networking (SDN):


•Application
•Control
•Infrastructure

Media control:
•Accurately and promptly mark all data storage media
•Ensure proper environmental storage of the media
•Ensure the safe and clean handling of the media
•Log data media to provide a physical inventory control

Enterprise Security Architecture (ESA):


•Presents a long-term, strategic view of the system
•Unifies security controls
•Leverages existing technology investments

MPLS feature:
• Traffic engineering
• Better router performance
• Built-in tunneling

Availability other concepts:


Usability, accessibility, timeliness, reliability

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 29
Third Party Contracts:
•NDA/NDC
•Regulatory Compliance
•Incident notification
•SLA/SLC

Evaluate Third party:


•On-Site Assessment
•Document Exchange and Review
•Process/Policy Review

Security Policy:
•Define scope
•Identify all assets
•Determine level of protection
•Determine personal responsibility
•Develop consequences for noncompliance

Information security risk toolkit CRAMM:


•Identify and value assets
•Identify threats and vulnerabilities and calculate risks
•Identify and prioritize countermeasures

Identity and Access Management lifecycle:


•Provisioning: Applying appropriate rights to users for files/folders
•Review: Periodic monitoring of existing rights for continued need
•Revocation: Removal of rights when no longer needed or warranted

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 30
Drawbacks multilayer protocols:
•Covert channels are allowed
•Filters can be bypassed
•Logically imposed network segment boundaries can be overstepped

Benefits multilayer protocols:


•Wide range of protocols can be used
•Encryption
•Flexibility and resiliency

Common Criteria CC:


•PP= is what customer needs
•ST=is what Vendor provides
•TOE= Actual product
•EAL= is rating which provides Evaluation and Assurance

EAL:
•EAL 1 : Functionally tested
•EAL 2 : Structurally tested
•EAL 3 : Methodically tested and checked
•EAL 4 : Methodically designed, tested and reviewed (DTR4)
•EAL 5 : Semiformally designed and tested
•EAL 6 : Semiformally verified design and tested (DTV6)
•EAL 7 : Formally verified design and tested.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 31
Cryptography:
•Privacy
•Authentication
•Integrity
•Non-repudiation

Security Cloud Computing:


•Data segregation
•Identity Management
•Availability Management
•Vulnerability Management
•Access Control Management

Data archiving:
• Format
• Regulatory requirements
• Testing

SIEM:
•Correlation
•Compliance
•Alert

Software requirements:
•Informational model
•Functional model
•Behavioral model

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 32
Attacks Phase:
•Gaining Access
•Escalating Privileges
•System Browsing
•Install Additional Tools
•Additional Discovery

API security:
•Use same security controls for APIs as for any web application on the enterprise.
•Use Hash-based Message Authentication Code (HMAC).
•Use encryption when passing static keys.
•Use a framework or an existing library to implement security solutions for APIs.
•Implement password encryption instead of single key-based authentication.

KPI based on:


•BIA
•Effort to implement
•Reliability
•Sensitivity
Note: SLAs are often a subset of KPI

Security programs metrics:


•KPI looks backwards at historical performance
•KRI looks forward, show how much risk exists that may jeopardize the future
security of org.

Software Protection Mechanisms:


Security Kernels; processor privilege states; security controls for buffer overflows;
controls for incomplete parameter check and enforcement; memory protection;
covert channel controls; cryptography; password protection techniques

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 33
Software Acquisition:
•Planning
•contracting
•monitoring
•acceptance
•follow on

SQL Injection:
•Perform Input Validation
•Limit Account Privileges
•Use Stored Procedures

Data Retention policy in cloud:


•Regulation
•Data mapping
•Data Classification
•Procedures
•Monitoring and maintenance

Retention policy should address:


•Storage
•Retention
•Destruction/disposal

Cloud Storage security:


•Encryption
•Authentication
•Authorization

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 34
Authentication and Authorization Protocols
• SAML: Authentication and Authorization/Enterprise
• SPML: Account Provisioning/Account Mgmt., SPML: paired with SAML
• XACML: Control policies
• OAuth: (Resource "Access") integrated with OpenID
• OpenID: Authentication and Authorization/Commercial/Mobile App
• SAML: Single sign-on for enterprise users
• OpenID: Single sign-on for consumers
• OAuth: API authorization between applications

Security of logs:
• Control the volume of data.
• Event filtering or clipping level determines amount of log
• Auditing tools can reduce log size.
• Establish procedures in advance.
• Train personnel in pertinent log review.
• Protect and ensure against unauthorized access.
• Disable auditing or deleting/clearing logs.
• Protect the audit logs from unauthorized changes.
• Store/archive audit logs securely.

OAuth Flow:
•Ask for request token
•Get Temporary credentials
•Exchange for access token

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 35
Memory Manager:
•Relocation
•Protection
•Sharing
•Logically Organization
•Physical Organization

Data Classification:
•Scope (value, Age)
•Classification Controls
•Assurance
•Marking and labeling

Threats Cloud Security:


•Data loss
•Account hijacking
•Insecure API
•DoS
•Extra billing for unused resources
•Inside threats
•Poor security form SP
•Multi-tenancy related breaches

Cloud Risk:
•Privileged user access
•Regulatory compliance
•Data Location
•Data Segregation
•Recovery
•Long term viability

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 36
Basic TCB function:
•Process activation
•Execution domain switching
•Memory protection
•I/O operation

Memory protection:
•DEP
•ASLR
•ACL

Attacks (Mitigation)
•Eavesdropping (encryption)
•Cyber-squatting (Secure your domain registration)
•SPAM (email filtering)
•Teardrop (patching)
•Over lapping fragment (not allowing fragments to overwrite)
•Source routing Attack (block source-routed packets)
•SYN flood Attack (vendor support in securing network stack)
•Spoofing (patching, firewalls, strong authentication mechanisms)
•Session hijacking (encryption, regular re-authentication)

Isolating CPU processes: TV NE


•Encapsulation of objects
•Time multiplexing of shared resources
•Naming distinctions
•Virtual memory mapping

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 37
Security mechanisms:
•I/O operations
•Process activation
•Domain switching
•Memory protection
•Hardware management

Capture Security Requirement: TDR


•Threat modeling
•Data classification
•Risk assessments

Data removal:
•Erasing - delete operation
•Clearing - overwriting operation
•Purging - more intensive form of clearing by repetition
•Declassification - purge media to be suitable for use for secure environment
•Sanitization - combination of process that remove data from a system or media
•Degaussing - use of a strong magnetic field
•Destruction - Crushing, Incineration, Shredding, disintegration

Emergency-Response Guidelines include:


•Immediate response procedures
•List of the individuals who should be notified of the incident
•Secondary response procedures that first responders should take

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 38
ISC - CODE of Ethics:
•Protect Society, Commonwealth Infrastructure
•Act honorably, honestly, justly, responsibly and legally
•Provide diligent, competent service to Principles
•Advance and protect the profession

Background checks:
•Credit History
•Criminal History
•Driving Records
•Drug and Substance Testing
•Prior Employment
•Education, Licensing, and Certification Verification
•Social Security Number Verification and Validation
•Suspected Terrorist Watch List

HACKING WEBSITE: Deface Websites


•SQL injection
•XSS
•Remote file inclusion
•Local file inclusion
•DDOS
•Exploiting vulnerability

Penetration Test: D En V E R
•Discovery - Obtain the footprint and information about the target.
•Enumeration - Perform ports scans and resource identification.
•Vulnerability mapping - Identify vulnerabilities in systems and resources.
•Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities.
•Report - Report the results to management with suggested countermeasures

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 39
Penetration Test:
•Goal
•Recognizance
•Discovery
•Exploitation
•Brute-Force
•Social Engineering
•Taking Control
•Pivoting
•Evidence
•Reporting
•Remediation

Penetration Testing:
•External testing
•Internal testing
•Blind testing - Limited info to the PT team
•Double-blind testing - No information to internal security team
•Targeted testing - Both internal and PT team aware.

Penetration Test:
•Reconnaissance
•Scanning
•Gaining Access
•Maintaining Access
•Covering Tracks

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 40
Penetration Testing:
•Performing basic reconnaissance to determine system function
•Network discovery scans to identify open ports
•Network vulnerability scans to identify unpatched vulnerabilities
•Web application vulnerability scans to identify web application flaws
•Use of exploit tools to automatically attempt to defeat the system security
•Manual probing and attack attempts

Firewall:
•1st generation: Packet filtering firewalls.
•2nd generation: application (proxy) firewalls
•3rd generation: state full packet firewalls
•4th generation: dynamic filtering
•5th generation: kernel proxy

Security Requirements:
•Risk assessments
•Governance frameworks
•Legal and regulatory frameworks
•End user requirements
•Best practices
•Internal standards and guidelines

Key management:
• Secure generation of keys
• Secure storage of keys
• Secure distribution of keys
• Secure destruction of keys

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 41
Artificial Intelligence (AI):
• Expert Systems
• Artificial Neural Networks
• Real Neural Networks
• Bayesian Filtering
• Genetic Algorithms and Programming

Operationally Critical Threat, Asset, and


Vulnerability Evaluation (OCTAVE):
•Identifying assets and threats
•Identifying vulnerabilities and potential safeguards
•Conducting risk analysis.

Application Security Testing:


•Sast - no run (Static) white box testing, offline code analysis
•Dast - black box testing, running (Dynamic)
•Rasp - ddos, buffer overflow protection, mitigation by throttling for example
(Runtime Application Self Protection)

Threats to the DNS Infrastructure


•Footprinting
•Denial-of-Service Attack
•Data modification
•Redirection
•Spoofing

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 42
Attacks (1):
•Passive Attacks – hard to detect b/c the attacker is not effecting the protocol.
Examples are Eavesdropping, network sniffing, and capturing data as it passes, used
to gather data prior to an active attack.

•Active Attacks – Altering messages, modifying system files, and masquerading are
examples b/c the attacker is actually doing something.

•Cipher text Attacks - The attacker obtains cipher text of several messages, with
each message being encrypted using the same encryption algorithm. Attacker’s goal
is to discover the key. Most common attacks are easy to get cipher text, but hardest
attack to be successful at.

•Known-Plaintext Attack - The attacker has the cipher text of several messages, but
also the plaintext of those messages. Goal is to discover the key by reverse-
engineering and trial/error attempts

•Chosen Plaintext Attack - The attacker not only has access to the cipher text and
associated plaintext for several messages, he also chooses the plaintext that gets
encrypted. More powerful than a known-plaintext attack b/c the attacker can
choose specific plaintext blocks to encrypt, ones that might yield more info about
the key.

•Chosen-Cipher text Attack: Attacker can choose different cipher texts to be


decrypted and has access to the decrypted plaintext. This is a harder attack to carry
out, and the attacker would need to have control of the system that contains the
cryptosystem

•Adaptive Attacks: Each of the attacks have a derivative with the word adaptive in
front of it. This means that an attacker can carry out one of these attacks, and
depending what is gleaned from the first attack, the next attack can be modified.
This is the process of reverse-engineering or cryptanalysis attacks.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 43
Attacks (2):
•Birthday attack: Cryptographic attack that exploits the math behind the birthday
problem in the probability theory forces collisions within hashing functions.

•Brute force attacks: continually tries different inputs to achieve a predefined goal.
Brute force is defined as “trying every possible combination until the correct one is
identified".

•Buffer overflow: Too much data is put into the buffers that make up a stack.
Common attacks vector are used by hackers to run malicious code on a target
system.

•Cross-site scripting: refers to an attack where vulnerability is found on a web site


that allows an attacker to inject malicious code into a web application

•Dictionary attacks: Files of thousands of words are compared to the user’s


password until a match is found.

•DNS poisoning: Attacker makes a DNS server resolve a host name into an incorrect
IP address

•Fraggle attack: A DDoS attack type on a computer that floods the target system
with a large amount of UDP echo traffic to IP broadcast addresses.

•Pharming: redirects a victim to a seemingly legitimate, yet fake, web site

•Phishing: type of social engineering with the goal of obtaining personal


information, credentials, credit card number, or financial data. The attackers lure, or
fish, for sensitive data through various different methods

•Mail Bombing: This is an attack used to overwhelm mail servers and clients with
unrequested e-mails. Using e-mail filtering and properly configuring email relay
functionality on mail servers can be used to protect this attack.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 44
Attacks (3):
•Ping of Death: A DoS attack type on a computer that involves sending malformed or
oversized ICMP packets to a target.

•Replay attack: a form of network attack in which a valid data transmission is


maliciously or fraudulently repeated with the goal of obtaining unauthorized
access.

•Replay Attack: an attacker capturing the traffic from a legitimate session and
replaying it to authenticate his session

•Session hijacking: If an attacker can correctly predict the TCP sequence numbers
that two systems will use, then she can create packets containing those numbers
and fool the receiving system into thinking that the packets are coming from the
authorized sending system. She can then take over the TCP connection between the
two systems.

•Side-channel attacks: Nonintrusive and are used to uncover sensitive information


about how a component works, without trying to compromise any type of flaw or
Weakness. A noninvasive attack is one in which the attacker watches how
something works and how it reacts in different situations instead of trying to
“invade” it with more intrusive measures. side-channel attacks are fault generation,
differential power analysis, electromagnetic analysis, timing, and software attacks.

•Smurf attack: A DDoS attack type on a computer that floods the target system with
spoofed broadcast ICMP packets.

•Social engineering: An attacker falsely convinces an individual that she has the
necessary authorization to access specific resources.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 45
Attacks (4):
•Spoofing at Logon: attacker can use a program that presents to the user a fake
logon screen, which often tricks the user into attempting to log on

•SYN flood: DoS attack where an attacker sends a succession of SYN packets with
the goal of overwhelming the victim system so that it is unresponsive to legitimate
traffic.

•TOC/TOU attack: Attacker manipulates the “condition check” step and the “use”
step within software to allow for unauthorized activity.

•War dialing: war dialer inserts long list of phone numbers into war dialing program
in hopes of finding modem to gain unauthorized access.

•Wormhole attack: This takes place when an attacker captures packets at one
location in the network and tunnels them to another location in the network for a
second attacker to use against a target system.

•Denial-Of-Service (Dos) Attack: An attacker sends multiple service requests to the


victim’s computer until they eventually overwhelm the system, causing it to freeze,
reboot, and ultimately not be able to carry out regular tasks.

•Man-In-The-Middle Attack: An intruder injects herself into an ongoing dialog


between two computers so she can intercept and read messages being passed back
and forth. These attacks can be countered with digital signatures and mutual
authentication techniques.

•Teardrop: This attack sends malformed fragmented packets to a victim. The


victim’s system usually cannot reassemble the packets correctly and freezes as a
result. Countersues to this attack are to patch the system and use ingress filtering to
detect these packet types.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 46
Power:
•Blackout: Generator
•Brownout: (UPS) Uninterruptible Power Supply
•Surge: Surge protector
•Spike: Surge protector
•Noise: Power conditioner
•Clean power: No solution is needed

SECURITY MODE:
•Dedicated security mode (All users can access all data).
•System high security mode (on a need-to-know basis, all users can access limited
data).
•Compartmented security mode (on a need-to-know basis, all users can access
limited data as per the formal access approval).
•Multilevel security mode (on a need-to-know basis, all users can access limited
data as per formal access approval and clearance).

Eight Basic steps Data retention:


• Evaluate Statutory Requirements, Litigation obligations, and business needs
• Classify types of records
• Determine retention periods and destruction policies
• Draft and justify record retention policy
• Train staff
• Audit retention and destruction practices
• Periodically review policy
• Document policy, implementation, training and audits

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 47
Common vulnerabilities and threats of
security architecture:
• Poor memory management
• Covert channels (storage and timing)
• Insufficient system redundancy
• Poor access control
• Hardware failure
• Misuse of privileges
• Buffer overflows
• Memory attacks
• DoS
• Reverse engineering,
• Hacking,
• Emanations
• State attacks (race conditions)

Mobile devices are prime vectors for data


loss:
• Secure communications
• Antimalware
• Strong authentication
• Passwords
• Control 3rd party software
• Separate secure mobile gateways
• Lockdown, audits
• Penetration tests
• Mobile security policy

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 48
Hashing:
• MDS Message Digest Algorithm - 128 bit digest
• SHA - 160 bit digest
• HAVAL
• RIPEMD-160
• Birthday attacks possible

Symmetric Algorithms:
• Data Encryption Standard (DES)
• 3DES (Triple DES)
• Blowfish
• Twofish
• International Data Encryption Algorithm (IDEA)
• RC4, RCS, and RCG
• Advanced Encryption Standard (AES)
• Secure and Fast Encryption Routine (SAFER)
• Serpent
• CAST

Asymmetric Algorithms:
• RSA - factoring the product of two large prime numbers
• Diffie-Hellmann Algorithm
• EI Gamal- discrete logs

Methods of Cryptanalytic Attacks:


•Cipher text-Only Attack (Only Cipher text)
•Known Plaintext (Both Plaintext and Cipher text available)
•Chosen Plaintext (Known algorithm, Adaptive where Plaintext can be changed)
•Chosen Cipher text (Known algorithm, Adaptive where Cipher text can be changed)

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 49
Concepts:
•Need-to-Know (access only to what's needed to perform task/job).

•Separation of Duties (one person cannot execute all steps of critical processes or
engage in malicious activity without collusion).

•Monitor special privileges (audit logs for system operators /administrators/data


center employees ensure privileged users cannot circumvent security policy, should
not have access to their logged activity, conduct background investigations).

•Job rotation (reduces collusion).

•Information lifecycle: (creation, use, destruction of data, information/data owner


helps safeguard data by classifying and determining its criticality and sensitivity).

Black/White List:
•Blacklist is an explicit deny
•Whitelist is an implicit deny
•Blacklist = "If you are on the list then you are not allowed in."
•Whitelist = "If you are NOT on the list then you are not allowed in."

RAID:
•RAID 0 - Striped
•RAID 1 - Mirrored
•RAID 2 - Hamming Code requiring either 14 or 39 disks
•RAID 3 - Striped Set with Dedicated Parity (Byte Level)
•RAID 4 - Striped Set with Dedicated Parity (Block Level)
•RAID 5 - Striped Set with Distributed Parity - one drive down, still working
•RAID 6 - Striped Set with Dual Distributed Parity - two drives down, still working
•RAID 1+0 - striped set of mirrored disks

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 50
Wireless Attack:
•Rogue AP
•Interference
•Jamming
•Evil Twin
•War Driving
•War Chalking
•IV attack
•WEP/WPA attacks

Secure configuration of hardware, best


practice for servers:
•Secure build
•Secure initial configuration
•Host hardening - remove all non-needed
•Host patching
•Host lock-down
•Secure ongoing configuration maintenance

RFID Attacks:
•RFID Counterfeiting
•RFID Sniffing
•Tracking
•Denial of Service
•Spoofing
•Repudiation
•Insert Attacks
•Replay Attacks
•Physical Attacks
•Viruses

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 51
RFID attacks:
•Eavesdropping/Skimming: Radio signals transmitted from the tag, and the reader,
can be detected several meters away by other radio receivers. If legitimate
transmissions are not properly protected, Individual who has their own RFID reader
may interrogate tags and eavesdrop on tag contents.

•Traffic Analysis: Even if tag data is protected, it is possible to use traffic analysis
tools to track predictable tag responses over time. Correlating and analyzing the
data could build a picture of movement, social interactions, and financial
transactions. Abuse of the traffic analysis would have a direct impact on privacy.

•Spoofing: Based on the data collected from eavesdropping or traffic analysis,it is


possible to perform tag spoofing. The software permits intruders to overwrite
existing RFID tag data with spoofed data. By spoofing valid tags, the intruder could
fool an RFID system and change the identity of tags to gain an unauthorized or
undetected advantage.

•Denial of Service Attack/Distributed Denial of Service Attack: A DoS on RFID


infrastructure could happen if a large batch of tags has been corrupted. An attacker
could use an illegal high power radio frequency (RF) transmitter in an attempt to
jam frequencies used by the RFID system, bringing the whole system to a halt.

•RFID Reader Integrity: In some cases, RFID readers are installed in locations
without adequate physical protection. Intruders may set up hidden readers of a
similar nature nearby to gain access to the information being transmitted by the
readers or even compromise the readers themselves, thus affecting their integrity.

•Personal Privacy: RFID tags can be read without their consent if those tags come
under the proximity of RFID reader, which raises the concern of Identity theft.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 52
Positive/Negative Test:
•Positive Test - Work as expected (Output as per given input - goes as per plan)
•Negative Test - Even unexpected inputs are handled gracefully with tools like
Exception Handlers

Artificial Intelligence (AI):


• Expert Systems
• Artificial Neural Networks
• Real Neural Networks
• Bayesian Filtering
• Genetic Algorithms and Programming

OWASP threat risk modeling process steps:


•Identify Security Objectives
•Survey the Application
•Decompose it
•Identify Threats
•Identify Vulnerabilities

Logical Security:
•Fail Open/Soft (availability is preserved, but data may not be secure)
•Fail Secure/Closed (data is secure, but availability is not preserved) Physical
Security
•Fail Safe/Open (systems are shut down / entrances unlocked - humans are safe)
•Fail Secure/Closed (entrances are locked)
•Failover is a fault tolerance (redundancy) concept. If you have two redundant NICs;
a primary and a backup – and the primary fails, the backup is used.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 53
ACID model:
•ATOMICITY: Divides transaction into units of work and ensure that all takes effect
or none takes effect; Either the changes are committed or changes rolled back
•CONSISTENT: Transaction must follow integrity policy/rules developed for that
particular database and ensure that all data is consistent in different databases
•ISOLATION: The isolation principle require that transactions operates separately
from each other; If DB receives two SQL transactions that modify same data then
one transaction is allowed to modify the data entirely before other is allowed
•DURABILITY: Once the transaction is verified as accurate on all the systems , it is
committed and the databases cannot be rolled back; Database transactions must be
durable it means once they are committed they must be preserve; Database ensure
durability through the use of a backup mechanism , such as transaction logs

Cohesion (coHesion H stands for HIGH)


How many different types of tasks a module can carry out; Object should perform
similar functions NOT separate functions; High cohesion is better for security as it is
less dependent on other functions

Coupling (coupLing L stands for LOW)


The level of interaction between objects to carry out its tasks; Lower (Loosely
coupled) coupling means better design as objects is self-dependent. It is easier to
troubleshoot and update; High (Tightly Couple) is not good design as object is
dependent on other objects to perform its tasks; Low coupling is better for security
as it will communicate with other functions or objects

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 54
TERMS/OTHERS:
• OWASP – Open Web Application Security Project (top 10)
• CVE – Common Vulnerabilities & Exposures
• CWS – Common Weakness Enumeration (listing)
• NVD – National Vulnerability Database
• US Cert – Computer Emergency Response Team (vulnerability database)
• COBIT is a framework of control objectives and allows for IT governance
• Standards - refer to mandatory activities, actions, or rules
• Baseline - may be used to refer to a minimum level of protection
• Guidelines - recommended actions and operational guides to users
• Procedures - detailed step-by-step tasks that should be performed
• Best Practices – following the behaviors of similarly situated competitors
• Vulnerability assessments identify weaknesses
• Penetration testing exploits weaknesses
• Vulnerability is a weakness in a system that allows a threat source to compromise
its security
• Threat is the possibility that someone or something would exploit a vulnerability,
either intentionally or accidentally, and cause harm to an asset.
• A risk is the probability of a threat agent exploiting vulnerability and the loss
potential from that action.
• A countermeasure, also called a safeguard or control, mitigates the risk.
• A control can be administrative, technical, or physical and can provide deterrent,
preventive, detective, corrective, or recovery protection.
•Message: Communication to or input of an object
•Method: It is an internal code that defines the action an object perform in response
to message
•Inheritance: occurs when methods from a class (parent or superclass) are
inherited by another subclass (child).
•Delegation: forwarding of a request by an object to another object or delegate
reason object is not having method to handle message
•Polymorphism: Characteristic of an object that allows it to respond with different
behaviors to the same message or method because of changes in external
conditions.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 55
Notice
This document is a supplementary, not replacement of official study books. I added multiple
definitions (due to multiple resources CBK, SYBEX and Shon Harris) of the same concept or
procedures to better understand the process; in case of conflict please refer to CBK.

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 56
REFERENCES
 The Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
 CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th Edition
 CISSP Official (ISC)2 Practice Tests
 CISSP All-in-One Exam Guide, Seventh Edition
 The Official (ISC)2 Guide to the CCSP CBK
 isc2.org
 CISM CRM - ISACA
 sybextestbanks.wiley.com
 cloudsecurityalliance.org

CISSP PROCESS GUIDE|V.9|Fadi SODAH(madunix) CISA CISSP MCSE ICATE CCNA CCIP CCNP 57

You might also like