CISSP CBK 6th Ed. by Deane and Kraus - A Book Review

Posted on September 1, 2024  •  35 minutes  • 7307 words

ISC2

ISC2 is a non-profit organization that specializes in cybersecurity certifications. It was established in 1989. Its long name is the International Information Systems Security Certification Consortium.

There are more than 600 thousand members, candidates and associates of ISC2. They launched an entry-level cybersecurity certification, Certified in Cybersecurity-CC, in 2022. Systems Security Certified Practitioner (SSCP) and Certified in Cloud Security Professional (CCSP) are some certifications ISC2 provides. ISC2 celebrates CISSP's 30th anniversary this year.

ISC2 certifications require relevant working experience to be certified entirely, except for “Certified in Cybersecurity”. Its exam curriculums are updated every three years. After completing a certification, members should accumulate continuing professional education (CPE) credits to renew their certifications.

Four Canons in the Code of Ethics

Every member of ISC2 is required to follow four mandatory canons. It is a necessity for the certifications. “…all ISC2 members are required to commit to fully support this Code of Ethics.”

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.

2. Act honorably, honestly, justly, responsibly, and legally.

3. Provide diligent and competent service to principals.

4. Advance and protect the profession.

CISSP

Certified Information Systems Security Certified Professional is a leadership certificate that requires five years of working experience in one of the exam domains.As of July 2022, 156,054 ISC2 members were holding CISSP worldwide. It has also been assessed as the same level as with a Masters degree in the UK.

In the text, I’d like to cite and highlight specific points from CISSP Common Body Knowledge (CBK) 6th Edition, written by Arthur Deane and Aaron Kraus in 2021.

Citations

…a baseline standard of security knowledge to help security practitioners deal with new and evolving risks, and this guide provides easy reference to aid practitioners in applying security topics and principles. (p.23)

CISSP credential holders are also expected to maintain their knowledge via continuing education. (p.23)

IAM requirements are presented through four fundamental aspects, including identification, authentication, authorization, and accountability (IAAA). (p.26)

Information security refers to the processes and methodologies involved in safeguarding information and underlying systems from inappropriate access, use, modification, or disturbance. (p.32)

There are many threats to data and system availability, and they may be either malicious or nonmalicious, either man-made or naturally occurring. (p.35)

Privacy, as defined in the (ISC)2 glossary, is the right of human individuals to control the distribution of information about themselves. (p.36)

Securing an organization’s assets and data is a business issue and requires a high level of planning and oversight by people throughout the entire organization. (p.36)

…a company should achieve its mission thanks in part to security, not despite security. (p.37)

An objective is a short-term milestone that supports a longer-term goal. (p.38)

…a well-managed security program requires processes in place to provide oversight of activities by executive members of the organization. (p.38)

…due care is using reasonable care to protect the interests of your organization. (p.50)

Examples of due care in security are activities like scanning and patching security vulnerabilities, enabling security logging, and writing restrictive firewall rules that enforce least privilege. (p.50)

In relation to information security, due diligence relates to the ongoing actions that an organization and its personnel conduct to ensure organizational assets are reasonably protected. (p.50)

Exercising due care and conducting due diligence are required to avoid claims of negligence in court. (p.50)

…based on AICPA’s five “Trust Services principles”: privacy, security, availability, processing integrity, and confidentiality. (p.54)

…you must know what PII and other personal data your organization handles, and you must understand all legal, contractual, and regulatory requirements that govern the privacy of that data. (p.56)

Any cybercrime committed against a government organization is considered an attack on that nation’s sovereignty. (p.57)

A data breach is a specific cybercrime where information is accessed or stolen by a cybercriminal without authorization. The target of a data breach is the information system and the data stored within it. (p.57)

A pen register is a device that shows the outgoing calls made from a phone, while a trap and trace device shows incoming numbers that called a phone; these capabilities are often consolidated into a single device called a pen/trap device. (p.62)

By 2022, the global trade in counterfeited and pirated products, both physical and online, will grow to between 1.9 and 2.8 trillion dollars. (p.65)

…you should familiarize yourself with the local IP (Intellectual Property) laws in your jurisdiction. (p.66)

…you should be aware of the implications of any import/export controls in which your organization operates or to which your company’s employees may travel. (p.67)

…you should be aware of sanctions that impact your organization and help ensure your organization’s IT systems meet relevant legal requirements. (p.67)

ISO/IEC 27043:2015 recommends procedural steps for conducting security incident investigations. These guidelines cover many incident scenarios from the preparation phase all the way through to the conclusion of the investigation. (p.82)

People are always, without exception, your most valuable and critical asset. (p.89)

User and Entity Behavior Analytics (UEBA), for example, can help detect a disgruntled employee who is heading toward a rage quit. (p.95)

…a risk is the potential for negative impact on the organization, its goals or objectives, or its assets (including people, systems, and data) due to a threat exploiting a vulnerability. (p.96)

…inherent risk is the risk present before any controls are applied, while residual risk is the level of risk that remains after controls are in place. (p.96)

Likelihood describes the probability that an event will occur, and impact defines how disastrous the event would be if it were to happen. (p.99)

…a risk should be accepted only if it is completely within an organization’s risk tolerance. In practice, organizations are often forced to accept potentially painful risks associated with normal business operations. (p.101)

Measuring the security-effectiveness of a security control is an essential step in the selection and implementation process. (p.102)

Perhaps even more important than security-effectiveness (believe it or not), cost effectiveness is a primary consideration for security teams and the management teams that oversee them. (p.102)

A countermeasure can be considered cost-effective if the annual loss expectancy (ALE) with the countermeasure plus the cost of countermeasure is less than ALE without the countermeasure. (p.102)

Countermeasures generally have an initial acquisition and implementation cost, followed by recurring (e.g., annual) operating and maintenance costs. (p.103)

There are five major types of controls:

1. Preventative: These are the first-line controls that are designed to keep adverse security events from occurring. For example, software applications typically have some form of “input validation” to avoid invalid inputs from being executed and causing an issue. Firewalls, system backups, and security awareness training are other common examples of preventative controls.
2. Detective: These controls are designed to identify a negative security event while it is in progress or soon after it occurs. Much like a human detective, this type of control is intended to gather information and help security teams determine what happened, how bad the damage is, and what caused it to happen. Security audits, door alarms, and IDSs are common examples of detective controls.
3. Corrective: These controls are designed to minimize and repair damages following an adverse security event; they are typically put in place after a detective control identifies a problem. Corrective controls include things such as software patches, configuration file modifications, and new policies that target the cause of the incident.
4. Recovery: These countermeasures are designed to complement corrective controls, with the intent to get a system back to normal as quickly as possible. Examples include system and data backups and disaster recovery sites.
5. Deterrent: These controls are designed to discourage attackers by making them think twice about their malicious intents. Wired fences, security guards, and guard dogs are some examples of deterrents. (p.103)

A common goal among security leaders is to continuously improve their organization’s security posture and measure their journey toward their desired end state. (p.106)

Tactical military intelligence is typically driven by an attacker-centric threat model, as are many business continuity/disaster recovery planning processes. (p.112)

What should be used to keep an eye on IT infrastructures ironically became the instrument of harm to those infrastructures. (p.117)

…the toughest challenge is to ensure that third parties actually do what they should to protect your organization’s information from those risks. (p.118)

…minimum security requirements (MSRs) that define the least acceptable security standards that vendors and other parties in your supply chain must satisfy. (p.118)

Information security is one of the few fields that is governed by relatively small teams but is the responsibility of every person within an organization. (p.120)

A standard security awareness program should include, at a minimum, new user orientation, lectures or computer-based trainings (CBTs), and printed materials like posters and handouts that share security tips. (p.121)

…security awareness content should be considered “live” material that evolves even more frequently than these periodic reviews. (p.122)

Making sure to only store data that is needed limits risk to the organization and reduces operational costs. (p.134)

Asset inventory appears at the top of the popular CIS 20 Controls list, because managing an inventory of all hardware, software, and data assets is foundational for just about every other security function. (p. 137)

An Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) server can provide a large portion of this information. (p.139)

…use of automated tools to seek out, tabulate, and provision assets is often preferable; popular brands include Puppet, Chef, and Ansible. (p.140)

Having data retention policies and procedures, which define what to keep and how long to keep it, is not only standard practice, but likely a legal, regulatory, or contractual requirement. (p.150)

…there are three categories of controls with which you should be familiar: technical, administrative, and physical. (p.160)

Each type of control can be described as deterrent, preventative, detective, corrective, or recovery. (p.160)

File-level encryption is a tailored data protection strategy that may provide additional protection from unauthorized access to a file on a hard drive in the event the full disk is decrypted. (p.162)

When baseline controls have potential to degrade or obstruct business operations or are cost-prohibitive, we have to explore compensating controls. (p.165)

U.S. Department of Defense Instruction (DoDI): DoDI 8510.01, “Risk Management Framework (RMF) for DoD Information Technology (IT)” (p.166)

When creating a DLP implementation strategy, it’s important that organizations consider techniques for protection in every data state. (p.170)

Avoid. Transfer or share (i.e., insurance or contract). Mitigate (e.g., through security architecture). Accept (p.176)

While this is often necessary, it is best that security be incorporated into the design process (and updated over time, as necessary) (p.177)

The five design principles from ISO/IEC 19249 are as follows:

• Least privilege
• Attack surface minimization
• Centralized parameter validation
• Centralized general security services
• Preparing for error and exception handling (p.178)

…the technical specification describes the primary challenge that all information security professionals know well: finding the difficult balance between security and functionality. (p.178)

Repudiation threat occurs when a user claims that they did not perform an action, and there is no evidence to prove otherwise. (p.186)

The DREAD model, developed in 2002, is a quantitative risk analysis model that involves rating the severity of security threats by assigning numeric values (typically from 1 to 10) that represent different levels of severity. (p.186)

Complexity is the worst enemy of security. The more complex you make your system, the less secure it’s going to be, because you’ll have more vulnerabilities and make more mistakes somewhere in the system. . . . The simpler we can make systems, the more secure they are. (p.190)

U.S. President Ronald Reagan first started using the English translation of the old Russian adage “trust, but verify” in the late 1980s. (p.190)

“Trust, but verify” also shows up in our use of threat intelligence products and information to determine whether a potential threat is viable. (p.191)

Zero trust is a security model that is predicated on the idea that an organization should not automatically trust anything outside or inside its perimeters — instead, they must verify anything and everything trying to connect to its systems before allowing access. (p.191)

The zero trust model preaches a “never trust, always verify” mindset that requires every access request to be fully authenticated, authorized, and encrypted before granting access. (p.191)

PbD (privacy by design) involves building privacy directly into the design, operation, and management of a system or process, rather than considering privacy after the fact. (p.193)

The general objective is to reduce all risks to a level below the organization’s risk threshold. (p.205)

Consider the control and how to implement and adapt it to your specific circumstances (the “Plan” phase)

• Implement the control (the “Do” phase)
• Assess the effectiveness of the control (the “Check” phase)
• Remediate the gaps and deficiencies (the “Act” phase) (p.206)

In addition to the periodic review of the control selection, the following specific events warrant taking a fresh look at your security controls:

• A security incident or breach
• A significant change in organization structure or major staffing change
• A new or retired product or service
• A new or significantly changed threat or threat actor
• A significant change to an information system or infrastructure
• A significant change to the type of information being processed
• A significant change to security governance, the risk management framework, or policies
• A widespread social, economic, or political change (e.g., COVID-19) (p.207)

Tamper detection with automatic destruction of storage in the event of tampering… (p.211)

Chip design features such as shield layers to prevent eavesdropping on internal signals using ion probes or other microscopic devices. (p.211)

…TPM (Trusted Platform Module) is responsible for the following functions:

• Attestation: Creates a cryptographic hash of the system’s known good hardware and software state, allowing third-party verification of the system’s integrity
• Binding: Encrypts data using a cryptographic key that is uniquely associated with (or bound to) the system
• Sealing: Ensures that ciphertext can be decrypted only if the system is attested to be in a known good state (p.212)

Be mindful of where your software and hardware come from, and ensure you take proper precaution. (p.213)

HSMs are frequently found in certificate authorities (CAs) that use them to protect their root private keys, and payment processors that use them to protect the symmetric encryption keys used to protect cardholder data. (p.214)

Excellent sources of such guidance for browsers and client operating systems include The Center for Internet Security (CIS) and the Defense Information Systems Agency’s Security Technical Implementation Guides. (p.217)

Assign unique admin accounts for each administrator (i.e., do not share admin accounts between more than one admin). Carefully consider a risk-based, role based approach that supports a least-privilege and separation-of-duties model in which each admin only has those admin permissions necessary to discharge their specific responsibilities. Where possible, ensure that critical operations require the cooperation of two admins. (p.220)

For databases that are only accessed through application software (e.g., the typical n-tier web server application), run the database on private networks only accessible to the business logic servers that need access. (p.220)

CLE (Cell-level encryption) encrypts database information at the cell or column level. With this approach, data remains encrypted when read from the database and is decrypted only when requested. (p.221)

Application-level encryption is a high-level approach that provides protection even if access to the database system is compromised. In this case, the business-logic or application layer is responsible for encrypting the data to be protected before it is passed to the database and for decrypting it once it has been retrieved. (p.221)

As American cryptologist Bruce Schneier famously stated, “All cryptography can eventually be broken — the only question is how much effort is required.” (p.222)

…the harsh reality that necessitates much scrutiny is that the threat actors that are most capable and well-funded often position themselves as advocates for secure algorithms. (p.222)

…a curious computer science student used the flaw to exfiltrate 900 social insurance numbers from the Canada Revenue Agency, earning an 18-month conditional sentence in prison for his efforts. (p.225)

There are a number of approaches to secure key storage. These are some common examples:

• Key management software
• Key management services provided by cloud service providers
• Dedicated hardware devices that keep the keys stored internally in a tamperresistant secure device. (p.227)

The importance of security to critical public infrastructure (such as electrical power distribution, water systems, and other public utilities) has come to the attention of governments because vulnerabilities in such systems are considered prime targets for economic warfare in times of conflict with foreign states (p.228)

…the analysis showed the attackers had access to the control systems for at least six months prior and could have done a lot more damage if they had wanted. (p.229)

Many IT departments plan to replace systems every three to five years. Most computer vendors stop supporting devices five to seven years after their first release, and no longer provide patches to address security issues. Most industrial process equipment is designed to operate for 10 to 20 years and longer. (p.230)

Security awareness training is also particularly important, and advocating security principles among all the technicians and plant operators is critically important. (p.231)

Too many cloud-based systems are breached because customers wrongly assume that an advertised security feature is enabled without their action. (p.235)

Two key principles to consider when securing microservices are: isolation and defense in depth. (p.240)

A security best practice for microservices is to use an API gateway to establish a single interface for all your microservices, allowing you to secure your microservices behind a firewall and use the API gateway as a proxy that handles all requests to the microservices behind that firewall. (p.241)

Instead of running an entire operating system (like a VM does), a container uses the operating system’s kernel and only the resources required to operate the given application. (p.242)

Container security risks generally fall into two major categories:

• Compromise of a container image or the entire container repository
• Misuse of a container to attack other containers or the host OS (p.242)

Containers running with the “privileged flag” can do almost anything the underlying host can do. This is a powerful configuration, and should be avoided whenever possible, based on the principle of least privilege. (p.243)

Host operating systems should run only the minimally required services necessary to operate the containers and exclude applications like web servers, databases, and others that increase the attack surface. (p.243)

This short-lived nature creates a moving target that adds a high degree of difficulty for attackers to compromise. (p.243)

“The 12 Most Critical Risks for Serverless Applications.” Among the risks cited include broken authentication, over-privileged function permissions and roles, and other issues related to attack surface complexity and nuances associated with serverless architectures. (p.244)

Protection against firmware attacks can include digital signatures to prevent unauthorized firmware from being accepted and executed, and cryptography to protect against reverse engineering of firmware updates. (p.247)

…work factor describes the amount time, effort, and resources required to break a cryptosystem. (p.253)

…an acceptable encryption algorithm today may not be acceptable five years from now, as computing continues to advance and work factors decrease. (p.253)

The DES cipher is no longer considered secure because of its short key size. (p.261)

3DES is also considered insecure and was deprecated by NIST in 2017. (p.267)

RC5 is considered secure with sufficient rounds of encryption. (p.267)

RC6 is an improvement upon RC5 and is considered to be a secure algorithm. (p.267)

The ETSI Quantum-Safe Cryptography (QSC) Working Group aims to assess and make recommendations for quantum-safe protocols and implementations. (p.270)

The standard for public key certificates (also known as digital certificates) is X.509 (p.271)

So the security of PKI depends entirely on the secrecy of the private keys — both the participants’ keys as well as the CA’s keys. (p.272)

There is a protocol called DNS-based Authentication of Named Entities (DANE), which would eliminate the need for CAs, but this protocol is not widely supported by browsers and hence has not been adopted by websites. (p.274)

DigiNotar is one of the most visible examples of what occurs when a CA is compromised, highlighting how important trust is for a CA and how quickly it can collapse if that trust is lost. (p.274)

…you should understand your organization’s compliance requirements and determine if an HSM is required (or beneficial) for your company. (p.276)

For access to a system that supports multifactor authentication, dual control could involve entrusting the password to one individual, and the MFA device to a different individual. (p.277)

The numbers n and m are configurable so that one can, for example, split the key into a dozen pieces, but only require any three of the key holders to come together to unlock the key. (p.277)

…current guidance from NIST and the Payment Card Industry (PCI) is to rotate data encryption keys at least annually. (p.277)

The message to be signed is passed through a cryptographically secure hash function that produces a fixed-length output (typically between 160 and 512 bits) called a Message Digest. This hash value is then encrypted using the message author’s private key to produce a digital signature. (p.278)

To ensure that digital signatures retain nonrepudiation even after the compromise of the private key used for signing, one can use a trusted timestamp that proves the message was signed before the time when the private key was compromised. (p.280)

Some go one step further and encrypt the hash using a symmetric cipher, but this is considered to be unnecessary and adds little additional security. In keeping with the nomenclature used in password cryptography, this step is called pepper. (p.288)

An example of a known-plaintext attack is the famous German Enigma cipher machine, which was cracked in large part by relying upon known plaintexts. Many messages contained the same word in the same place, or contained the same text (e.g., “Nothing to report”), making deciphering the messages possible. (p.288)

Multifactor authentication should be used to defeat phishing attacks and password weaknesses in Kerberos implementations. (p.292)

Keep your operating systems and applications patched and up-to-date, limit use of administrative privileges (i.e., least privilege), and use trusted antimalware software with updated signatures, among the other system hardening best practices. (p.292)

Once one has applied the chosen risk management approaches (avoid, mitigate, transfer), then one assesses the residual risk to determine if it is within the organization’s risk appetite, or is acceptable to the risk owner. If not, then additional steps must be taken to further reduce the residual risk. (p.293)

…a fundamental principle of security architecture is defense in depth. (p.294)

MPLS (Multi-Protocol Label Switching) is a high-throughput, high performance network technology that directs data across a network based on short path labels rather than longer network addresses. (p.344)

In the context of the OSI model, MPLS is commonly labeled a layer 2.5 protocol since it operates squarely between the common definitions of data link (layer 2) and network (layer 3) protocols. (p.344)

According to Gartner, SD-WAN has four characteristics:

1. Must support multiple connection types (e.g., internet, MPLS, LTE, etc.)
2. Can perform dynamic path selection to support load sharing across WAN connections
3. Provides a simple interface for managing the WAN
4. Must support VPNs and other third-party services (p.347)

Virtual extensible local area network (VXLAN) is a network virtualization technology that uses encapsulation techniques to encapsulate layer 2 Ethernet frames within layer 4 UDP datagrams. (p.347)

When electrons move, they create emanations and a magnetic field. These data emanations can be picked up by devices that scan for them. (p.348)

CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is the standard encryption mechanism used in WPA2 and WPA3. (p.353)

A beacon frame is a special broadcast transmission that the SSID sends regularly from the WAP. (p.357)

Network administrators can disable, or silence, the broadcast; this is recommended as a security best practice. (p.357)

With the advancement of drones and the ability for private citizens to use them, a newer attack vector known as war droning is now a threat. Scanning and cracking activities are accomplished with a drone instead of by a person in a vehicle within proximity of the WAP. (p.359)

ZigBee is a standard (based on IEEE 802.15.4) for low-cost, low-power, and low-latency wireless communication. ZigBee’s protocols were designed to be simpler than other wireless technologies (like Wi-Fi) and used in applications that require short-range, lower-bandwidth data transfer. Common applications include medical data collection, industrial control systems, building automation, home energy monitors, and other home automation uses.

The NGFW combines the traditional features of those earlier four with the advanced features of other network-based security devices such as an intrusion detection system (IDS) or intrusion prevention system (IPS). (p.367)

They are also sometimes referred to as jump hosts (or jump boxes). They act as a proxy, as the only device reachable from external sources. (p.367)

…firewall as a service (FWaaS), much like CSPs offer software as a service (SaaS). With FWaaS, filtering or screening packets is done virtually and offsite. (p.369)

Watch for broadcast storms on bridges, which can degrade network bandwidth and performance. (p.370)

The arc radius is the maximum distance the cable can be bent without damaging the internal conductors. (p.375)

EMI (electromagnetic interference) is a key security implication when dealing with cabling. As the name implies, EMI is when an electromagnetic field interferes with the object’s performance or functionality. (p.375)

The policies for NAC should be applied consistently for every device, user, or entity that attempts to connect. (p.381)

Endpoint security should at least consist of keeping antivirus and anti-malware software current and using a correctly configured host-based firewall, a hardened configuration with unneeded services disabled, and a patched operating system. (p.383)

NIST Special Publication 800-124 (currently at rev 2 draft) covers not only management but also aspects of improving secure access and authentication of mobile devices at a higher level. (p.384)

VoIP technology is not automatically any more secure than analog. It is essentially plain-form communications and is easily intercepted and eavesdropped. (p.387)

Several security controls have to be implemented to assure the confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA) of email. (p.390)

However, between email domains for business partners, forcing TLS is a viable option. (p.393)

IAM consists of four foundational elements: identification, authentication, authorization, and accountability (IAAA). (p.405)

Containerization: Placing organization data into a logical contain isolates it from being accessed by other apps on the device. This is a common choice for organizations with a bring your own device (BYOD) policy that allows users to access organization resources from a personal device. Enforcing restrictions on the personal device may be difficult, so the restrictions are instead limited to the container, which can be locked or wiped if the user loses the device or leaves employment. (p.410)

Quick Response (QR) codes (p.411)

MDM and MFA can be combined to provide powerful compensating control for challenges arising from increased remote work, cloud-based systems, and BYOD. (p.413)

A role-based access control (RBAC) model can be helpful in identifying common need-to-know criteria and granting access that is appropriate but not excessive. (p.414)

As with other security technologies, there is a requirement to ensure balance between security and usability objectives — requiring a user to open a smartphone app and type in a code every time they log in could become burdensome. In a facility where the organization can implement physical access controls, the risk of unauthorized access may be partially mitigated, meaning MFA could be required only once a day when a user first logs in. (p.418)

If the device is lost or stolen or requires power but has a dead battery, as in the case of a smartphone authenticator app, the user cannot authenticate successfully. (p.421)

The use of SMS and email to deliver one-time passwords (OTPs) or two-factor authentication codes is not considered a security best practice, since both email and SMS are not secure delivery methods. Wherever possible, alternatives should be used. (p.421)

…security practitioners must balance user and cultural requirements when designing authentication schemes. (p.422)

No easy way to change: Unlike Type 1 and Type 2 authentication factors, users do not have an easy way to change biometrics if the authentication system is compromised. It is not possible for human beings to easily change physical characteristics like fingerprints or facial geometry. These systems should always be classified as containing personally identifiable information (PII), since biometrics can be used to uniquely identify individuals. The choice to use such a system introduces additional risks due to the type of data it will store and process. (p.423)

Human beings cannot easily prevent their fingerprints from being left on physical objects, and high-quality photographs are nearly ubiquitous due to social media and surveillance. An important test for biometric systems is their ability to determine the “liveness” of a subject or whether the biometric data being presented is from a live human being or a reproduction like a photograph. This concept was explored in detail in the work of Dorothy Denning and can be found here: liveness.com (p.423)

The Session Management Cheat Sheet can be found at cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html (p.425)

For web applications where session tokens take the form of cookies, it is also recommended to configure proper security such as setting the Secure attribute to force the browser to use HTTPS when sending the cookie. (p.425)

Federated identity: Users log in to a single work resource like the Microsoft 365 or Google Workspace collaboration platforms. Once authenticated, they are able to log in to other, outside resources such as web or smartphone apps using their organization credentials. (p.428)

Implicit deny is the opposite — only people on an approved list are allowed entry, while everyone else is denied. This is sometimes known as deny all or allow by exception and is a fundamental security best practice as it reduces the chance of unauthorized access. (p.434)

The Kerberos project was initiated and is maintained by MIT. Full documentation and code can be found at web.mit.edu/kerberos . Many popular IAM tools also implement Kerberos, such as Microsoft AD. (p.445)

Another protocol that provides AAA functionality is the Terminal Access Controller Access Control System Plus (TACACS+). (p.445)

Controls that are not working as intended are known as deficiencies and identify a risk that is not being properly mitigated. (p.448)

Utilizing a standard methodology offers key benefits including repeatable testing and results that will be more comparable over time. Auditing against the same standard year over year can demonstrate return on investment (ROI) from the organization’s spending on security efforts, as well as the increasing maturity of key security practices or processes. (p.448)

There is a general saying that “Whoever wrote the policy shouldn’t be the one to audit it,” and mitigating conflicts of interest is an important element in an audit or assessment strategy. (p.449)

Zero trust network architecture and microsegmentation are particularly challenging in cloud computing environments where these principles are the default and access follows a deny-all, allow-by-exception model. (p.456)

Crafting proper rules of behavior and managing the pen test engagement are key tasks for a CISSP to perform. (p.458)

Publicly available tools Shodan or Have I Been Pwned can also be used. (p.460)

Tools like Nmap, nslookup, ping sweeps, and port scanning are used to perform queries that determine active network hosts and services running on a network. (p.460)

Automated tools such as static code analysis use software to model the execution of code and identify potential vulnerabilities like buffer overflow or inconsistent data conditions that could result during program execution. (p.465)

Dynamic analysis tests the actual running program to observe the behavior of the system or application. (p.465)

OWASP has a cheat sheet for Abuse Case modeling and testing: cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html (p.466)

Compliance checks and continuous monitoring, which are discussed in Chapter 7, share a common goal: identify weaknesses as soon as possible and take corrective action before an attacker finds the weakness. (p.470)

Key performance indicators (KPIs) are the monitoring tool for existing risk mitigations, while key risk indicators (KRIs) allow the organization to maintain awareness of potential future risks. (p.475)

A CISSP must understand the business context of their security program and ensure that both KPIs and KRIs are chosen to provide this useful information. (p.475)

If the organization has set the baseline at seven days after the patch is released, then any patch deployed after the seven-day window is a negative indicator in a strict situation. (p.476)

The Software Engineering Institute (SEI) at Carnegie Mellon University has also developed a framework called the Goal-Question Indicator-Metric (GQIM) Method, which is designed to assist organizations in defining measurement strategies that provide meaningful information. The method documentation can be found at resources.sei.cmu.edu/asset_files/TechnicalNote/2016_004_001_455107.pdf (p.476)

Long-term information retention and habit building: If users take a training, complete a quiz, and immediately forget the information, the program is ineffective. (p.479)

Some security practices are too technical or might be unimportant for all users, so it is important to deliver an appropriate level of knowledge and training material to the audience. (p.479)

The use of external auditors is a requirement in many compliance frameworks, such as PCI, ISO 27001, and the Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR). (p.488)

Whether consuming a SOC 2 report or conducting an audit of a third party’s controls, a security practitioner should seek to answer the following questions related to the security program:

• What standards do they use for selecting controls and auditing their effectiveness?
• What details are being shared? If only limited information is available, are there deficiencies being hidden?
• What findings exist, and what is the third party’s response related to the risk?
• What plans exist to remediate any findings? (p.489)

Assessments, audits, tests, and evaluations all share similar goals of identifying issues in security control programs. (p.489)

Organizational processes like security awareness and BCDR should be inspected for data needed to support these oversight functions, but the data alone is not enough to prove valuable, so a CISSP should also review how to generate indicators, in the form of KPIs and KRIs, which identify actions needed to correct or avoid risks. (p.490)

SecOps encompasses disparate functions such as physical security of both data and operational facilities, incident response, supporting or conducting investigations, handling material and evidence collected during investigations, and performing digital forensics. Many of these areas are highly specialized, while the Certified Information Systems Security Professional (CISSP) is a general certification. Generalist security practitioners may not have the skills needed to perform all these functions, but it is important to have access to these skills, whether by hiring or training team members or through the use of a service provider. (p.492)

This chapter presents an overview of important concerns to address when maintaining the various controls implemented to mitigate risk, including the most important: personnel life, health, and safety. (p.492)

Some security practitioners will specialize in digital forensics and incident response (DFIR) and hold credentials in these areas. (p.492)

This section presents elements of security incident investigations and the critical role a security practitioner must play; for a more technically detailed exploration, the book Cybercrime Investigations: A Comprehensive Resource for Everyone by John Bandler and Antonia Merzon is recommended. (p.492)

Hardware devices and software known as write blockers should be used to prevent unwanted changes to media. (p.494)

The chain of custody does not prove that information has not changed in any way; rather, it proves that the changes made to the evidence were done in a controlled manner that did not interfere with the information’s integrity and authenticity, and therefore, its reliability as evidence. (p.494)

The NIST Computer Security Resource Center (CSRC) has a number of resources such as projects and publications addressing current forensics concerns like mobile devices, cloud computing, and analysis of advanced persistent threat (APT) activity, which can be found at csrc.nist.gov . (p.495)

The cost of retaining the needed talent and resources in-house must be weighed against the benefit of quicker response times and more customized procedures and should consider the frequency of incidents that require formal investigation. (p.498)

Any investigation requiring forensic expertise is likely to be a critical priority for the organization, so forensic team members should be granted the ability to approach any member of the organization and expect cooperation, even if it interrupts the member’s routine tasks. (p.498)

Faraday containers like bags or boxes, which are shielded to prevent radio communications to or from a physical device. (p.499)

Depending on the type of media, it may even be possible to use highly specialized physical equipment to reconstruct data after a disk has been overwritten. (p.500)

SANS also provides a number of useful resources to aid investigators and responders, including cheat sheets, quick-start guides, and posters for common tasks like malware analysis using Linux or malicious document analysis. (p.501)

NIST Computer Forensics Tool Testing Program (CFTT) site: nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt (p.501)

Unless extraordinary means like overwriting or cryptoshredding are employed, deleted data may be recoverable with hardware or software tools. (p.502)

If a configuration management tool indicates a patch deployment level below 75 percent two weeks after a patch is available, forced restarts to patch may be an appropriate next step. (p.511)

Monitoring control effectiveness can actually increase the value of the controls—if a risk mitigation becomes ineffective but the organization keeps paying for it, that money is wasted. (p.511)

The U.S. Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) and the CIS Benchmarks are well-known examples covering secure configuration of applications, systems, and devices. (p.519)

If one person is on vacation or unavailable, others can fill in for those job duties. This availability aspect is one reason a CISSP should consider implementing job rotation within an organization, as it supports business continuity (BC), disaster recovery (DR), and resilience capabilities. (p.526)

For example, securely shredding removable USB drives is a valid protection against data exposure, but some industry regulations ban the use of such devices altogether. In this case, policies and technical controls must be in place to prevent data from being written to USB drives, rather than focusing on their secure destruction. (p.528)

A portable hard drive or user laptop is much easier to lose or steal, and modern devices can store large amounts of sensitive data. In situations like this, a CISSP must identify compensating controls like disk encryption, which can protect the confidentiality of data even if the device it resides on is stolen. (p.529)

Events are any observable item like routine user or system actions, such as a user successfully logging into a system or a file being accessed. (p.530)

Incidents are events that are both unplanned and have an adverse impact on the organization. They typically require investigation and remediation by some combination of IT, operations, and security personnel. (p.531)

Not all incidents will require participation by the security team. For example, increased system utilization due to a new product launch is expected and simply requires operations resources to add additional capacity. A coordinated DoS attack by a foreign nation state, however, would require participation by both IT and security personnel to successfully remediate. (p.531)

The IR (Incident Response) plan should document the tools, resources, and processes needed to identify, categorize, and remediate the impact of incidents. (p.531)

Many organizations utilize a priority score from zero to five (P0–P5) to categorize incidents. P0 is the most critical, and P5 is the least critical, and members of the IRT use this score to prioritize the work they must perform. In many organizations, an incident at or above a certain priority rating may also be a trigger for other organizational capabilities, such as invoking BC or DR plans. (p.532)

The communications and security company Verizon has produced a framework for categorizing, capturing, and managing data related to incident response called the VERIS framework. This provides a structured way of capturing and managing IR data, which is useful for directing activities of the IR team. Details of the project can be found here . (p.535)

Given the wide variety of potential incident circumstances, mitigation should follow playbooks, checklists, or other prepared reaction guides that reduce the amount of decision-making required—people in a crisis situation do not always make the best decisions, so planning ahead is crucial. (p.535)

IT or network operations personnel will likely be in charge of installing and maintaining the firewall, but log data generated by the firewall about potential network attacks is a key input to continuous monitoring processes owned by the security team. (p.540)

Operating and maintaining these tools requires security practitioners to collaborate with other departments or teams in the organization, so effective communication and partnership skills need to be a priority for a CISSP. (p.540)

MDM containers install a specific set of apps on user smartphones to allow access to organization data but restrict data access from anything outside the secure container. (p.545)

Threat hunting is the practice of looking for threats that evade the organization’s existing security solutions and may exploit unknown vulnerabilities. It is typically broad in scope and can be performed continuously. (p.549)

In fact, costs like catering or entertainment associated with disaster operations may even be covered by cyber insurance as part of recovery costs! (p.559)

Physical controls can and should be chosen from multiple control categories like preventive, deterrent, detective, compensating, recovery, directive, and corrective. (p.568)

One methodology for designing a comprehensive physical security strategy is crime prevention through environmental design (CPTED), which informs the physical and environmental design of a facility based on its risk needs. (p.568)

This means identifying security requirements for the system before development begins and providing adequate resources to support the design, development, and testing of security features or controls implemented to meet those requirements. (p.579)

The Agile Alliance documented 12 principles to form the Agile Manifesto, which can be found at agilemanifesto.org/principles.html (p.581)

Full details of XP methods and implementation are at www.extremeprogramming.org . (p.583)

The Agile transition of legacy software development has been mirrored in the security community as well with the creation of DevSecOps, right down to a manifesto and guiding principles documented at www.devsecops.org (p.587)

The model is now under the control of the CMMI Institute run by ISACA cmmiinstitute.com/cmmi and has been adapted to address Agile development as well as new areas of business concern including development, services, supplier management, and people (workforce management and professional development), as well as an emerging Cybermaturity program designed to apply maturity model concepts to governance and reporting of cybersecurity. (p.591)

The Software Assurance Maturity Model (SAMM) is maintained by the Open Web Application Security Project (OWASP), located at owaspsamm.org (p.592)

This term refers to the multiple (poly) forms (morphs) an object may take when being created or instantiated. (p.604)

Practices like continuous security codify many of these principles, and more details can be found at devops.com/9-pillars-of-continuous-security-best-practices (p.610)

Security practitioners should prioritize based on classification levels; systems handling the most sensitive or highly regulated data are likely to cause the most impact in case of a breach. (p.624)

Frameworks for risk assessments in technology and information security include Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) and Failure Modes and Effect Analysis (FMEA). (p.625)

Partial quantitative measurements can also be made by looking at publicly available data on similar events that impacted peer organizations or publicly available studies like the annual Verizon Data Breach Investigation Report (DBIR). (p.627)

Representation state transfer or REST APIs expose functions using URLs similar to web applications and accept commands using common HTTP verbs like GET and POST for retrieving or sending data to the API. (p.641)

OWASP publishes a number of freely available resources on API security, including a cheat sheet for REST APIs (cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) and an API Security Top 10 list detailing common vulnerabilities and issues facing API security (owasp.org/www-project-api-security). (p.641)

Microsoft published a document outlining its shift away from traditional perimeter-based security and legacy tools to SDS. The change is driven in part by the move to a cloud-first IT infrastructure, and the document lays out the strategy behind the change. (p.652)