INTRODUCTION: CISSP EXAM DOMAINS

1. Security and Risk Management 15%

2. Asset Security 10%
3. Security Architecture and Engineering 13%
4. Communication and Network Security 14%
5. Identity and Access Management 13%
6. Security Assessment and Testing 12%

7. Security Operations 13% (this video)

8. Software Development Security 10%
DOMAIN 7
SECURITY OPERATIONS

CISSP EXAM CRAM

1-HOUR SHORT COURSE
 DOMAIN 7: SECURITY OPERATIONS

7.1 Understand and support investigations

7.2 Understand requirements for investigation types
7.3 Conduct logging and monitoring activities
7.4 Securely provisioning resources
7.5 Understand and apply foundational security
operations concepts
7.6 Apply resource protection techniques
7.7 Conduct incident management
 DOMAIN 7: SECURITY OPERATIONS

7.8 Operate and maintain detective and preventative

measures
7.9 Implement and support patch and vulnerability
management
7.10 Understand and participate in change management
processes
7.11 Implement recovery strategies
7.12 Implement Disaster Recovery (DR) processes
 DOMAIN 7: SECURITY OPERATIONS

7.13 Test Disaster Recovery Plans (DRP)

7.14 Participate in Business Continuity (BC) planning and
exercises
7.15 Implement and manage physical security
7.16 Address personnel safety and security concerns
LIMITING ACCESS & damage
Need-to-know and the principle of least privilege are two
standard IT security principles implemented in secure networks.

They limit access to data and systems so that users and other
subjects have access only to what they require.
They help prevent security incidents
They help limit the scope of incidents when they occur.

When these principles are not followed, security incidents result

in far greater damage to an organization.
preventing fraud and collusion
Collusion is an agreement among multiple persons to
perform some unauthorized or illegal actions.

Separation of duties
a basic security principle that ensures that no single person can
control all the elements of a critical function or system.
Job rotation
employees are rotated into different jobs, or tasks are
assigned to different employees.

Implementing these policies helps prevent fraud by limiting

actions individuals can do without colluding with others.
monitoring privileged operations
Privileged entities are trusted, but they can abuse their
privileges.
it’s important to monitor all assignment of privileges and
the use of privileged operations.

Goal
to ensure that trusted employees do not abuse the special
privileges they are granted.

Monitoring these operations can also detect many attacks

because attackers commonly use special privileges
 Creation
The Information Lifecycle

Destruction Classification

Can be created by users

a user creates a file

Can be created by systems

a system logs access
Archive Storage

Usage
 Creation
The Information Lifecycle

Destruction Classification

To ensure it’s handled properly,

it’s important to ensure data is
classified as soon as possible.

Archive Storage

Usage
 Creation
The Information Lifecycle

Destruction Classification

Data should be protected by

adequate security controls
based on its classification.

Archive Storage

Usage
 Creation
The Information Lifecycle

Destruction Classification

refers to anytime data is in use

or in transit over a network

Archive Storage

Usage
 Creation
The Information Lifecycle

Destruction Classification

archival is sometimes needed to

comply with laws or regulations
requiring the retention of data.

Archive Storage

Usage
 Creation
The Information Lifecycle

Destruction Classification

When data is no longer needed,

it should be destroyed in such a
way that it is not readable.

Archive Storage

Usage
 DOMAIN 7: SECURITY OPERATIONS

Stipulate performance expectations such as

maximum downtimes and often include penalties
if the vendor doesn’t meet expectations.
Generally used with vendors
 DOMAIN 7: SECURITY OPERATIONS

of resources includes ensuring that resources are

deployed in a secure manner and maintained in
a secure manner throughout their lifecycles.
example: deploy a PC from a secure image
Virtual assets

Virtual assets include:

— virtual machines (VM)
— virtual desktop infrastructure (VDI) compute
— software-defined networks (SDN) network
— virtual storage area networks (SAN) storage

Hypervisors are the primary component that manages virtual assets,

but also provide attackers with an additional target.
Both hypervisors and VMs need to be patched
Virtual assets
Security issues with cloud-based assets

Storing data in the cloud increases the risk, so steps may be

necessary to protect the data, depending on its value.
When leasing cloud-based services, you should know who
is responsible for maintenance and security.
“shared responsibility model”

The cloud service provider (CSP) provides the least amount

of maintenance and security in the IaaS model.
shared responsibility model

100% YOURS
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Responsible Middleware Middleware Middleware Middleware
CSP OS OS OS OS
Customer Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking

On-premises IaaS PaaS SaaS

DOMAIN 7: CONFIGURATION & CHANGE MANAGEMENT

Can prevent incidents and outages

Configuration Management
ensures that systems are configured similarly, configurations are known and
documented.
Baselining ensures that systems are deployed with a common baseline or
starting point, and imaging is a common baselining method.
Change Management
helps reduce outages or weakened security from unauthorized changes.
Versioning uses a labeling or numbering system to track changes in updated
versions of software.
requires changes to be requested, approved, tested, and documented.
PATCH MANAGEMENT

ensures that systems are kept up-to-date

with current patches.
will evaluate, test, approve, and deploy
patches.
system audits verify the deployment of
approved patches to system
aka “update management” intertwined with change and configuration
management to ensure that documentation
reflects changes.

Orgs without patch management will experience outages from known

issues that could have been presented
patch management lifecycle

Scan networks

Identify vulnerable systems

Download and deploy patches

Generate status reports

Update vulnerability details from vendors

vulnerability management

includes routine vulnerability scans and periodic

vulnerability assessments.

can detect known security vulnerabilities and

weaknesses, absence of patches or weak
passwords.

extend beyond just technical scans and can include

reviews and audits to detect vulnerabilities.
 DOMAIN 7: INCIDENT RESPONSE STEPS

The CISSP lists incident response steps as

— detection

— response limit or contain the scope

— mitigation
— reporting
— recovery
— remediation

— lessons learned include root cause analysis

 DOMAIN 7: DENIAL-OF-SERVICE ATTACKS

prevent a system from responding to

legitimate requests for service.

newer attacks are often variations

SYN flood attack on older methods.

which disrupts the TCP three-way handshake.
Smurf attack
employs an amplification network to send numerous response
packets to a victim.
Ping-of-death attack
send numerous oversized ping packets to the victim, causing the victim
to freeze, crash, or reboot.
DOMAIN 7: BOTNETS, CONTROLLERS, AND BOT HERDERS

represent significant threats due to the massive

number of computers that can launch attacks

Botnet
a collection of compromised computing devices (often
called bots or zombies).
Bot Herder
criminal who uses a command-and-control server to
remotely control the zombies
often use the botnet to launch attacks on other
systems, or to send spam or phishing emails
honeypot, padded cell, pseudo flaws

lures and distracts attackers

a system that often has pseudo flaws and fake data to lure intruders.

as long as attackers are in the honeypot, they are not in

the live network. …and admins can observe
Some IDSs have the ability to transfer attackers into
a padded cell after detection
blocking malicious code
multiple approaches, generally used together

Anti-malware software
with up-to-date definitions installed on each system, at the
boundary of the network, and on email servers.
Policies
enforce basic security principles, like principle of least privilege,
prevent regular users from installing potentially malicious
software.
Education
educating users about the risks and the methods attackers
commonly use to spread viruses helps users understand and
avoid dangerous behaviors.
penetration tests
start by discovering vulnerabilities and then mimicking an attack
to identify what vulnerabilities can be exploited.
should not be done without express consent and
knowledge from management.
can result in damage, so should be done on isolated
systems whenever possible.

— black-box testing (zero knowledge)

three
— white-box testing (full knowledge)
varieties
— gray-box testing (partial knowledge)
ids vs ips response

can respond passively by logging and

sending notifications or actively by
reactive changing the environment

is placed in line with the traffic and

includes the ability to block malicious
proactive traffic before it reaches the target
flavors of intrusion detection systems

can monitor activity on a single system only.

A drawback is that attackers can discover
host-based IDS and disable them.

can monitor activity on a network,

and a NIDS isn’t as visible to
attackers.
network-based IDS
espionage & sabotage

when a competitor tries to steal

information, and they may use an
external internal employee.

malicious insiders can perform

sabotage against an org if they
become disgruntled for some reason
insider
 DOMAIN 7: ZERO-DAY EXPLOITS

an attack that uses a vulnerability that is

either unknown to anyone but the attacker or
known only to a limited group of people.
basic security practices can often prevent!
log files
data is recorded in databases
and different types of log files.

common log files include security logs, system logs,

application logs, firewall logs, proxy logs.
should be protected by centrally storing them and using
permissions to restrict access.
archived logs should be set to read-only to
prevent modifications.
monitoring
a form of auditing that focuses on
active review of the log file data.

used to hold subjects accountable for their

actions
also used to monitor system performance.
tools such as IDSs or SIEMs automate monitoring and
provide real-time analysis of events.
the value of audit trails
records created by recording information
about events and occurrences into one or more
databases or log files.
used to reconstruct an event, to extract
information about an incident,
used to prove or disprove culpability.
a passive form of detective security control

Audit trails are essential evidence in

the prosecution of criminals.
sampling
the process of extracting elements from a large body
of data to construct a meaningful representation or
summary of the whole.

uses precise mathematical functions to

extract meaningful information from a large
volume of data.

is a form of nonstatistical sampling that records

only events that exceed a threshold.
maintaining accountability

is maintained for individual subjects using

auditing.
logs record user activities and users can be held
accountable for their logged actions.
directly promotes good user behavior and compliance
with the organization’s security policy.
security audits and reviews

help ensure that management programs are effective and being followed.

commonly associated with account management practices to

prevent violations with least privilege or need-to-know principles. can also
be performed to oversee many programs and processes
— patch management
— vulnerability management
— change management
— configuration management
frequency of IT security audits

a methodical examination of an environment to ensure

compliance with regulations and to detect abnormalities,
unauthorized occurrences, or outright crimes.
serves as a primary type of detective control
frequency is based on risk.
degree of risk also affects how often an audit is performed.

Secure IT environments rely heavily on

auditing and many regulations require it.
 DOMAIN 7: CONCEPT OF DUE CARE

Security audits and effectiveness reviews are key

elements in displaying due care. without them,
senior management will likely be held accountable
and liable for any asset losses that occur.
act with common sense, prudent management, responsible action
Controlling access to audit reports
Audit reports often contain sensitive information

often include purpose and scope of the audit, and results

discovered or revealed
can include sensitive information such as problems,
standards, causes, and recommendations.
Only people with sufficient privilege should have access

FOR EXAMPLE:
senior security administrators = full detail senior
management = high-level summary
User entitlements & access reviews

ensures that object access and account

management practices support the security
policy.

ensure that the principle of least privilege is

followed and often focus on privileged accounts.
audit access controls
effectiveness of access controls should be
reviewed / audited regularly
can track logon success and failure of any account
can include resource (object) access and action
performed on resources
intrusion detection systems can monitor these logs and
easily identify attacks and notify administrators

often automated, auto-reporting, and supported by AI

 DOMAIN 7: SECURITY OPERATIONS

a crime (or violation of a law or

regulation) that is directed against, or
directly involves, a computer.
Categories of computer crime
Computer crimes are classified as one of
the following 6 types:

- Military and intelligence attacks

six degrees of
- Business attacks
Kevin Bacon
- Financial attacks
- Terrorist attacks six categories of
- Grudge attacks computer crime
- Thrill attacks
electronic discovery
Organizations expecting lawsuit have a duty to preserve digital
evidence in a process called eDiscovery.
eDiscovery process includes:

- information identification and governance

- preservation and collection
- processing, review, analysis
- production, and presentation

often uses tagging, classification, target specific custodian

 DOMAIN 7: GATHERING INFO IN INVESTIGATIONS

to gather sufficient information from the equipment,

software, and data from equipment requires

Possession
You must have possession of equipment, software, or
data to analyze it and use it as evidence.

Modification
You must acquire the evidence without modifying it or
allowing anyone else to modify it.

Law enforcement establishes chain of evidence (aka chain

of custody) to document all who handle it.
alternatives to confiscating evidence

the person who owns the evidence could

voluntarily surrender it for investigation.

could be used to compel the subject to

surrender the evidence

most useful when you need to confiscate evidence

without giving the subject an opportunity to alter it.
 DOMAIN 7: RETAINING INVESTIGATORY DATA

Because you will discover some incidents

after they have occurred….

You will lose valuable evidence unless you ensure

that critical log files are retained for a reasonable
period of time.
You can retain log files and system status
information either in-place or in archives

data retention should be defined in security policies

evidence
Best. Original.
Secondary evidence. Copy.
Direct. Proves or disproves an act based on the five senses.
Conclusive. Incontrovertible, overrides all other types.
Circumstantial. Inference from other info.
Corroborative. Supporting evidence but cannot stand on its own.
Opinions. Expert and non-expert.
Hearsay. Not based on first-hand knowledge.

Evidence must be relevant, complete, sufficient and reliable

 DOMAIN 7: EVIDENCE ADMISSIBILITY

Types of evidence that may be used in a criminal or civil trial:

Real evidence
consists of actual objects that can be brought into the courtroom.

Documentary evidence
consists of written documents that provide insight into the facts.

Testimonial evidence
consists of verbal or written statements made by witnesses.
 DOMAIN 7: EVIDENCE ADMISSIBILITY

Requirements for evidence to be admissible in a court of law:

TO BE ADMISSIBLE:
Evidence must be relevant to a fact at issue in the
case
The fact must be material to the case,
The evidence must be competent or legally
collected.

Evidence is considered "competent" if it complies with

certain traditional notions of reliability.
DOMAIN 7: COLLECTING EVIDENCE

As soon you discover an incident…

You must begin to collect evidence and
as much information about the incident
as possible.
Evidence can be used in a subsequent legal
action or in finding attacker identity.
Evidence can also assist you in
determining the extent of damage.
natural disasters
Know the common types of natural disasters that
may threaten an organization.
- Earthquakes
- Floods
- Storms
- Tsunamis
- Volcanic eruptions
man-made disasters
Know the common types of man-made disasters
that may threaten an organization.
- Explosions
- Electrical fires
- Terrorist acts
- Power outages
- Other utility failures
recovery site types

Three primary types of recovery sites:

recovery site types

DESCRIPTION
A “recovery” cold site is essentially just
data center space, power, and network
connectivity that’s ready and waiting for
whenever you might need it.
TO RECOVER
cost = LOW If disaster strikes, your engineering and
effort = HIGH logistical support teams can readily help you
move your hardware into the data center and
get you back up and running.
recovery site types

DESCRIPTION
A “preventative” warm site allows you to pre-
install your hardware and pre-configure your
bandwidth needs.
TO RECOVER
cost = MEDIUM If disaster strikes, all you have to do is load
effort = MEDIUM your software and data to restore your
business systems.
recovery site types

DESCRIPTION
A “proactive” hot site allows you to keep
servers and a live backup site up and
running in the event of a disaster. You
replicate your production environment in that
data center.

cost = HIGH TO RECOVER

effort = LOW This allows for an immediate cutover in case

of disaster at your primary site. A hot site is a
must for mission critical sites.
recovery site types (cont)

a company that leases computer time. Service

bureaus own large server farms and often fields of
workstations. may be onsite or remote

nonmainstream alternatives to traditional recovery

sites. They typically consist of self - contained trailers
or other easily relocated units.

Just what it sounds like. May mix-and-match some

combination of the aforementioned options
RPO and RTO

is the age of files that must be recovered from

backup storage for normal operations to resume
if a system or network goes down

is the duration of time and a service level

within which a business process must be
restored after a disaster in order to avoid
unacceptable consequences associated with
a break in continuity.
mutual assistance agreements (MAAs)
PROs and CONs of MAAs

Benefits of an MAA
Mutual assistance agreements (MAAs) provide an inexpensive
alternative to disaster recovery sites.
Risk of an MAA
Organizations participating in an MAA may also be shut down by the
same disaster, and MAAs raise confidentiality concerns.
Why are MAAs uncommon?
They are not commonly used because they are difficult to enforce.
Business Continuity Planning (BCP)

Project scope and

planning

Business impact The 4 main steps of Business

assessment
Continuity Planning
Continuity
planning
assessment of business impact
Approval and happens within BCP
implementation
Business Continuity Planning (BCP)

Project scope and

planning

Business impact The 4 main steps of Business

assessment
Continuity Planning
Continuity
planning GOAL:
efficient response to enhance a company’s
Approval and ability to recover from a disruptive event
implementation
promptly
BCP Definitions
Some BCP-related definitions worth knowing

BCP (Business Continuity Plan)

the overall organizational plan for “how-to”
continue business.
COOP (Continuity of Operations Plan)
the plan for continuing to do business until the IT
infrastructure can be restored.
DRP (Disaster Recovery Plan)
the plan for recovering from an IT disaster and
having the IT infrastructure back in operation.
BCP Definitions
Some BCP-related definitions worth knowing

BRP (Business Resumption Plan)

the plan to move from the disaster recovery site back to your
business environment or back to normal operations.
MTBF (Mean Time Between Failures)
a time determination for how long a piece of IT
infrastructure will continue to work before it fails.
MTTR (Mean Time to Repair)
a time determination for how long it will take to get a piece of
hardware/software repaired and back on-line.
BCP Definitions
Some BCP-related definitions worth knowing

MTD (Max tolerable downtime)

The amount of time we can be without the asset that is
unavailable BEFORE we must declare a disaster and initiate our
disaster recovery plan.
goals of dr and bcp
What are the core goals of disaster recovery and
business continuity planning?

Minimizing the effects of a disaster by:

Improving responsiveness by the employees in
different situations.
Easing confusion by providing written procedures and
participation in drills
Helping make logical decisions during a crisis
5 tYPES OF DISASTER RECOVERY PLAN TESTS

Know the 5 types of disaster

recovery plan tests:
- Read-through
- Structured walk-through
- Simulation test
- Parallel test
- Full interruption test
5 tYPES OF DISASTER RECOVERY PLAN TESTS

Read-through test
You distribute copies of disaster recovery plans to the
members of the disaster recovery team for review.
Structured walk-through aka table-top exercise
Members of the disaster recovery team gather in a large
conference room and role-play a disaster scenario.
Usually, the exact scenario is known only to the test moderator, who
presents the details to the team at the meeting.
The team members refer to the document and discuss the
appropriate responses to that particular type of disaster.
so far, these are all talk
5 tYPES OF DISASTER RECOVERY PLAN TESTS

Simulation test
Similar to structured walk-through, except some of the response
measures are then tested (on non-critical functions).
Parallel test
involves relocating personnel to the alternate recovery site and
implementing site activation procedures. The employees relocated to
the site perform their disaster recovery responsibilities just as they
would for an actual disaster.
Full interruption test
like parallel tests but involves actually shutting down operations at the
primary site and shifting them to the recovery site.
all involve some form of ‘doing’
5 tYPES OF DISASTER RECOVERY PLAN TESTS

A couple of related terms

Recovery Team recover

is used to get critical business functions running at the
alternate site.
Salvage Team restore
is used to return the primary site to normal
processing conditions.
backup strategies
Electronic Vaulting
is used to transfer database backups to a remote site as part of a bulk
transfer.
Remote Journaling
Transmitting only the journal or transaction logs to the off-site facility
and not the actual files.
Remote Mirroring
a live database server is maintained at the backup site.
the most advanced database backup solution (and also tends to be the
most expensive of these)
Categories of disruption (from CISSP CBK)
There are 3 main categories of disruption:

Non-Disaster
disruption in service from device malfunction or user error.
Disaster
entire facility unusable for a day or longer.
Catastrophe
major disruption that destroys the facility altogether.
Requires a short term and long term solution.
INSIDE CLOUD

THANKS
FOR WATCHING!