Scribd
Upload
98 views27 pages

2022 ITM Short Course - Week 4

The document summarizes key topics for CISSP exam preparation, including the eight domains and recommended study materials. It provides an overview of security assessment and testing topics such as vulnerability assessments, penetration testing, and software development security best practices. Example assessment methods, frameworks, and the OWASP Top 10 vulnerabilities are outlined. Security operations concepts such as incident response plans, security operations centers, and cloud computing models are also briefly discussed.

Uploaded by

kasun kalhara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
98 views27 pages

2022 ITM Short Course - Week 4

The document summarizes key topics for CISSP exam preparation, including the eight domains and recommended study materials. It provides an overview of security assessment and testing topics such as vulnerability assessments, penetration testing, and software development security best practices. Example assessment methods, frameworks, and the OWASP Top 10 vulnerabilities are outlined. Security operations concepts such as incident response plans, security operations centers, and cloud computing models are also briefly discussed.

Uploaded by

kasun kalhara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

CISSP Study Session

Attention Attendees:
Remember to type your messages to all panellists and attendees
CISSP domains
• Domain 1 – Security and Risk Management
• Domain 2 – Asset Security
• Domain 3– Security Architecture and Engineering
• Domain 4 – Communication and Network Security
• Domain 5 – Identity and Access Management (IAM)
• Domain 6 – Security Assessment and Testing
• Domain 7 – Security Operations
• Domain 8 – Software Development Security
Recommended Text
(ISC)2 CISSP Certified Information Systems Security
Professional Official Study Guide, 9th Edition
Mike Chapple, James Michael Stewart, Darril Gibson

Official Wiley Link


Domain 6 – Security Assessment & Testing
Security Testing
• Verifies that a control is functioning
• Automated scans
• Penetration tests (manual/tool-assisted)
• Considered point-in-time
• Should be ongoing based various factors
• NIST SP 800-53A – best practices for security and privacy assessments
Security Auditing
• Internal
• External
• Third Party
• AICPA SOC Audits
• SOC1
• SOC2 (Type I/II/III)
• SOC3
Vulnerability Assessments
• Security Content Automation Protocol (SCAP)
• Common Vulnerabilities and Exposire (CVE)
• Common Vulnerability Scoring System (CVSS)
• Common Configuration Enumeration (CCE)
• Common Platform Enumeration (CPE)
• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL)
• Periodic vulnerability scans
Network Discovery Scanning
• TCP Syn Scanning
• TCP Connect Scanning
• TCP Ack Scanning
• UDP Scanning
• Xmas Scanning
• Port state – Open/Closed/Filtered
Penetration Testing
• Process according to NIST
• Planning
• Information gathering and discovery
• Attack
• Reporting
• Common Frameworks
• Cyber Killchain (Lockheed Martin)
• MITRE ATT&CK Framework
• Types
• White-box
• Grey-box
• Black-box
Software Development
• Secure Coding
• Code Review
• OWASP Top 10
Software Development
• Secure Coding
• Code Review
• OWASP Top 10
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities
• Broken Access Control
• Security Misconfiguration
• Cross Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging/Monitoring
Domain 7 – Security Operations
Security Operations
• Need-to-know
• Least-privilege / privileged accounts
• Separation of duties
• Job rotation
• Mandatory Vacations
• Service Level Agreements
• Patch management
• Managed Security Services
• Security Operations Centre (SOC)
• Change Management
Media Security
• Media management
• Media protection
Personnel Security
• Travel
• Security awareness training and education
Managed Services
• SaaS/IaaS/PaaS/etc.
• Service Level Agreements (SLAs)
• Agreements

Chapple et al, 2021, p780


Cloud
• Public Cloud
• Private Cloud
• Hybrid Cloud
• Community Cloud
• Scalability & Elasticity

Chapple et al, 2021, p780


Incident Management
• Incident Response Plans
• Playbooks
• Forensic Evidence
• Chain of Custody
Domain 8 – Software Development Security
Development Lifecycles
• Waterfall
• Agile
• Spiral
Maturity Models
• CMM
• CMMI
• IDEAL
Capability Maturity Model

Level 5
Level 4 Optimised
Level 3 Managed
Level 2 Defined
Level 1 Repeatable
Initial

Chapple et al, 2021, p780


Security Testing
• Same ‘white/grey/black’ box
• APIs
• OWASP Top 10
• Code repositories
• Libraries and third-party applications
Readings
• CISSP Official Study Guide (Ninth Edition) – Chapters 15-21.

Attention Attendees:
Remember to type your messages to all panellists and attendees
Questions?
About Me
Dr. Georg Thomas
Senior Manager, Deloitte Australia
20+ years industry experience
DInfoTech, MMgmt(InfoTech),
BInfoTech(SysAdmin)
CCISO, CDPSE, CISM, CISSP, ISO27001 Lead linkedin.com/in/georgthomas
Implementer, GRCP, MACS Snr. CP (Cyber @georgathomas
Security), MCSE scholar.google.com/citations?user=z72s_9
ACS Profession Advisory Board Member MAAAAJ
References
• Chapple, M., Stewart, J. M., Gibson, D. (2021). (ISC)2 CISSP Certified Information
Systems Security Professional Official Study Guide, 9th Edition. Wiley. 8
• OWASP Top 10. https://owasp.org/www-project-top-ten/

You might also like