Domain 1:Security and Risk Management

24:20 CIA Triad

25:30 ISC2 Code of Ethics
26:10 Security Policy Development - 4 levels
27:15 Exam Tidbit
27:30 Risk Management & Risk Analysis
28:26 Risk Factors
29:14 Security Planning
30:28 Response to Risk
33:32 NIST 800-37 Rev 2: RMF for Information Systems and Organizations: A System
Life Cycle Approach for Security and Privacy
RMFs for use in the real world - OCTAVE, FAIR, TARA
34:32 7 Steps of NIST 800-37
37:38 Exam Tidbit
38:58 Types of Risk - Residual, Inherent & Total
40:40 Exam Tidbit
41:59 Risk Analysis
45:40 Qualitative Risk Analysis
46:52 Delphi Technique
47:07 Other considerations in Risk Analysis - loss potential & Delayed Loss
47:46 Threat Agents; Terms in Calculating Risk - EF, SLE, ARO, ALE, SE 55:01
Controls Gap
56:03 Supply Chain
57:58 Threat Modeling: Approaches & Frameworks -STRIDE, PASTA, VAST, DREAD, TRIKE
1:02:44 COBIT
1:03:54 Diagramming Potential Attacks in Threat Modeling
1:06:00 Reduction Analysis
1:07:47 Prioritization & Response
1:09:34 Control Types
1:13:40 Legal & Regulatory Issues 1:14:12 Types
1:16:00 IP & Licensing
1:16:14 Regulations regarding Encryption & Privacy
1:19:15 BCP
1:20:45 BCP vs DRP
1:21:24 User Education
1:22:05 Consequences of Privacy & Data breaches
1:23:30 Notifications of Breaches
Domain 2 : Asset Security
1:25:25 Data Life Cycle & 1:25:46 Information Life Cycle
1:27:43 Data Classification for Government & Non-Government Entities
1:27:55 Data Security Controls
1:28:59 Data Destruction Methods
1:30:28 Security Control Baseline
1:30:57 Exam Tidbit
1:31:32 Data Protection & 1:31:48 Classification
1:33:34 Defining Sensitive Data
1:34:17 Data Ownership
1:35:16 Other roles in Data Managing
1:36:02 GDPR
1:36:57 Reducing GDPR Exposure
1:38:55 Exam Tidbit
Domain 3 : Security Architecture and Engineering
1:43:06 Zero Trust Security
1:43:59 Secure Design Principles - Secure Defaults, Fail Securely (from NIST SP
800-160 Vol 1-Systems Security Engineering: Considerations for Multidisciplinary
Approach in the Engineering of Trustworthy Secure Systems)
Trust but Verify - zero trust security
1:45:15 Privacy by Design
1:48:33 Keep it Simple
1:51:08 Security as a Service
1:51:26 IoT
1:51:53 Smart Devices
1:52:37 SIEM & SOAR (in Domain 8:)
1:55:18 Microservices & SOA (Service Oriented Architecture)
1:56:44 Containerization
1:58:23 APIs (SOAP/REST)
1:59:33 Embedded Systems
2:00:17 High Performance Computing
2:01:22 Edge Computing, Fog Computing
2:02:55 Cloud Models & Services - On premises, IaaS, PaaS, SaaS
2:06:23 Difference between Serverless (Function as a Service) & PaaS
2:08:36 Public, Private & Hybrid Cloud Models
2:12:30 CASB
2:13:52 Post Quantum Cryptography - symmetric & asymmetric
2:10:04 Cryptography - Code, Cipher
2:19:39 Types of Ciphers - stream & block, substitution, transposition, IV, Caesar,
Vigenere, One-time pad
2:22:39 Zero Knowledge Proof, Split Knowledge, Work Function/Factor
2:25:03 Importance of Key Security
2:25:46 Symmetric & Asymmetric Keys
2:27:30 Confidentiality, Integrity & nonrepudiation
2:28:17 DES & 3DES Modes
2:30:21 XOR Cipher
2:30:56 Key Clustering
2:31:40 Asymmetric Key Types
2:34:20 Hash Function Requirements
2:35:04 Cryptographic Salts
2:35:42 Digital Signature Standard
2:36:14 PKI
2:37:19 Securing Traffic
2:37:50 IPSEC Basics
2:38:44 Common Cryptographic Attacks
2:40:30 Digital Rights Management
2:41:00 Symmetric Algorithm
2:42:55 Hash Algorithms
2:44:03 3 Major public Key Cryptosystems - RSA, Elgamal, Elliptic Curve
2:45:10 Digital Signatures - DSA, RSA, Elliptic Curve DSA
2:45:33 Asymmetric Algorithms
2:46:04 Security Models based on Integrity & Confidentiality
2:47:23 Purpose of Security Model
2:47:46 State Machine Model (SMM)
2:48:19 Information Flow Model (based on SMM) - Bell-LaPadula, Biba
2:48:55 Non Interference Model
2:49:23 Lattice Based Model
2:49:51 3 properties of Security Models - Simple Security, Star * Security,
Invocation
2:50:13 Security Models based on Integrity & Confidentiality
2:51:55 Bell-LaPadula
2:53:41 Biba Model
2:54:43 Clark-Wilson -2:55:19 Access Control Triple
2:56:15 Other Security Models - Take Grant, Brewer & Nash, 2:56:40 Graham-Denning
Model & Rules
2:57:39 Security Modes
2:59:08 SMM
3:00:06 Trusted Computing Base 3:00:57 Security Perimeter
3:01:25 Reference Monitor/Model & Security Kernel
3:02:00 Common Criteria (ISO-IEC 15408) -TCSEC, replaced by ITSEC which was later
replaced by global security evaluation framework - Common Criteria
3:03:25 Common Criteria as a process
3:05:00 TCSEC, ITSEC & Common Criteria Comparison
3:06:14 Covert Channels eg Steganography - Covert Timing & Covert Storage Channel -
Out of band (may have extra info about the receiver & is outside the scope of
normal communication channels)
3:07:44 TPM
3:08:12 Access Control Types- Discretionary & Non-Discretionary
3:09:25 Role-BAC
3:09:25 Rule-BAC
3:10:14 MAC
3:11:10 Security Models Design & Capabilities - Certification & Accreditation, Open
& Closed System
3:12:21 Techniques for ensuring CIA
3:13:06 MFA
3:13:43 AuthN & AuthZ
3:14:36 Multi-Tasking, Multi-Threading
3:15:10 Multi-processing, Multi-programming
3:15:44 Single State & Multistate processors
3:16:03 Processor Operating Modes - (End)User & Privileged(System/Administrative)
Operations
3:16:46 Memory(Volatile Storage) Types 3:17:21 Security Issues with Storage
3:19:12 Security Risks of I/O devices
3:19:57 Purpose of Firmware
3:20:14 Vulnerabilities, Threats & Countermeasures
3:21:12 Role of Security Policy(eg PCI DSS) in Cloud Computing
3:22:46 Hypervisor - Type I, II
3:23:47 CASB(used in Shadow IT)
3:24:26 Security-aaS
3:24:57 Smart Devices
3:25:13 IoT
3:25:43 Mobile Device & Mobile App Security
3:27:45 Embedded Systems & Static Environment
3:28:58 Privilege & Accountability - principle of least privilege & separation of
privilege (role/duty)
3:30:25 Common Flaws & Vulnerabilities - buffer overflow, TOCTTOU, Replay Attacks
3:32:03 Functional Order of Security Controls - Deterrence, Denial, Detection,
Delay + Determine, Decide
3:33:20 Physical Security Control - logical, admin, physical
3:37:11 Fire Suppression Agents - Class ABCDK
3:39:02 Categories of fire detection - smoke sensing, flame sensing, heat sensing
3:39:10 Classes of Fire Extinguishers
3:39:24 Voltage & Noise - EM & RF Interference
3:39:53 Static Voltage & Damage
3:40:14 Damage from Fire & Fire Suppression
3:41:13 Water Suppression Systems
3:42:38 Gas Discharge Systems
3:43:32 Lock Types
3:44:10 Facility Design Specifications - Exam Tidbit
3:45:03 Site Selection & Facility Design
3:46:10 Secure Work Area Configuration & Design
3:47:19 Threats to physical Access Control
3:48:07 Securing wiring Closet
3:48:39 Physical Security Requirements 3:49:18 Needs for Media Storage; Concerns &
Protections
3:51:15 Evidence Storage
3:52:02 Audit Trails & Access Logs
3:53:24 Need for Clean Power
Domain 4 : Communication and Network Security
Network Architectures
3:56:05 VXLAN
3:57:00 Network Architectures - SDN, 3:57:48 SD-WAN, 3:58:35 LiFi, 4:00:00 Zigbee,
4:01:15 5G, 4:02:48 Content Delivery Networks (CDN) - for streaming audio, video &
downloading content
4:03:46 OSI Model 4:05:10 Functionality of OSI Layers
4:06:34 Common TCP/UDP Ports
4:07:02 TCP vs OSI
4:07:27 TCP vs UDP
4:10:09 Cabling Types & Throughput
4:11:02 Standard Network Topologies - star, mesh, ring, bus
4:13:12 Analog vs Digital
4:14:40 Synchronous vs Asynchronous
4:15:25 Baseband vs Broadband
4:16:25 Broadcast, Multicast, Unicast
4:17:25 CSMA, CSMA/CA, CSMA/CD
4:19:50 Token Passing, Polling
4:20:54 Network Segmentation - Intranet, Extranet, DMZ
4:21:59 Reasons for Segmentation
4:22:30 Bluetooth
4:23:13 Mobile System Attacks -bluejacking, bluesnarfing, bluebugging
4:24:11 Wireless Technologies
4:24:34 SSID Broadcast
4:25:23 TKIP
4:25:45 CCMP
4:26:35 WPA2
4:26:51 Fiber Channel & FCoE
4:27:45 ISCSI
4:28:14 Site Survey
4:28:58 EAP, PEAP, LEAP
4:30:15 MAC Filtering
4:30:43 Captive Portals
4:31:15 Antenna Types
4:34:30 Network Devices - Firewalls, Switches, Routers, Gateways, Repeaters,
Concentrators, Amplifiers, Bridges, Hubs, LAN Extenders
4:38:02 LAN & WAN (uses private circuit & packet switching Technologies)
4:39:20 Firewalls Types
4:40:26 Stateless & Stateful Firewalls
4:41:22 Modern Firewalls - WAF, NGFW 4:42:22 Deep-packet-inspection, UTM 4:43:44
NAT, Content/URL Filter, 4:44:50 Open Source vs Proprietary, 4:45:46 Hardware vs
Software 4:46:51 Application vs Host based vs Virtual
4:47:59 IDS, IPS
4:48:39 IDS Types -Behavior & Knowledge based
4:49:32 HIDS, HIPS
4:49:53 NIDS, NIPS
4:50:09 Modes of Operation - Inline(in-band) & Passive(out of band)
4:50:48 Network Appliances - Sensors & Collectors
4:51:32 Secure Network Design - Bastion host, screened host, screened subnet, proxy
server, honeypot
4:54:34 Common Network Attacks:
DOS - teardrop, fraggle, land attack, SYN Flood, ping of death
DDoS - smurf attack
Domain 5: Identity and Access Management
4:59:17 Certificate based Authentication
5:00:25 AAA Protocol - AuthN, AuthZ & Accounting
5:01:27 Active Directory - Kerberos
5:02:36 Authorization mechanisms/principles -3 basis for granting access -need to
know, least privilege, separation of duties & responsibilities
5:03:45 Modern/More granular approach to Least Privilege - Just-In-Time(JIT) allows
temporary privilege elevation in ephemeral accounts thru Privilege Identity &
Access Management (PIM & PAM)
5:04:40 Identification & Authentication
5:05:00 Authorization & Accountability
5:05:45 Primary Authentication Factors
5:06:08 MFA
5:10:26 SSO
5:11:03 SAML, OAUTH, OPENID
5:12:35 Access Control Models -DAC, Role-Based, Rule Based, Attribute Based(more
flexible than rule-BAC), MAC(lattice-based)
5:15:36 Security Controls- Type & 5:16:09 Categories -Logical/Technical, Physical,
Admin

Vasudha Kota
1 month ago (edited)
5:17:40 Security Controls : Mechanisms for Defense in Depth
5:18:26 Types -provide CIA reference & enforce it
- preventive, detective, corrective, compensative, directive, recovery, deterrent
5:21:32 Risk - asset valuation, threat modeling, vulnerability analysis
5:22:50 Access Control Attacks - dictionary, brute force, spoofed logon screen,
sniffer, spoofing, social engineering, phishing (spear phishing, whaling, vishing)
5:27:20 Access Aggregation attack
5:28:11 Preventing Access Control Attacks -password policies, security end points
5:28:58 Other attacks -Tempest, White noise
5:29:51 Asset Management: preventive measure for theft - RFID, Barcoding,
Inventory; Kerberos can be compromised with Replay attacks; in the past there was a
similar one called Hash attack.
Domain 6 Security Assessment and Testing
5:32:08 Tools used to validate controls in Security Assessment & Testing Programs
5:33:16 Vulnerability Assessments vs Penetration Tests
5:34:31 Penetration Test Strategies
5:35:33 Security Processes
5:36:47 Software Testing
5:38:29 Static vs Dynamic Software Testing
5:39:51 Application Fuzzing - synthetic inputs & generational fuzzing
5:41:29 Security Management Oversight
5:43:26 Internal & External Audits
Domain 7: Security Operations
5:47:54 modern firewalls - WAF, NGFW 5:49:09 UEBA - User & Entity Behaviour
Analytics
5:49:58 Threat Intelligence,
5:50:39 (Domain 3: Access Control) AI & ML
5:52:34 Preventive measures to limit access & damage - to limit the scope of
incidents & extent of damage
5:53:26 Preventing Fraud & Collusion (arising due to misuse of access)- Need to
know, principle of least privilege, spearation of duties, job rotation, mandatory
vacations
5:55:08 Monitoring Privileged Operations (as a detective measure)
5:56:20 Information Life Cycle - creation, classification, storage, usage, archive,
destruction
5:58:48 SLA
5:59:29 Secure Provisioning - for PCs, Virtual Machines, application that runs in a
docker
6:00:10 Virtual Assets 6:00:43 Hypervisor
6:01:20 Security in cloud-based assets - CASB in shadow IT 6:02:48 CSP
6:03:09 Shared Responsibility Model - Hypervisor in VMs (On premises), IaaS, PaaS,
SaaS
6:04:40 Configuration & Change Management - Baselining eg imaging for configuration
mgt, versioning for change mgt
6:07:24 Patch management or Update Management avoids certain attacks like SQL
slamming (hammering)
6:08:48 Patch Management Life Cycle
6:09:30 Vulnerability Management, Vulnerability Scanners, Vulnerability Assessment
6:11:10 Managing Incident Response
6:13:26 DoS attacks - SYN Flood, DDoS -smurf (also an implification attack), ping-
of-death,
botnets, controllers, bot herders
6:16:47 Honeypot - pseudo flaws & fake data, padded cell- hardened honeypot
6:18:09 Blocking Malicious Code
6:20:22 Penetration Tests - Three varieties
6:23:05 IDS vs IPS Response
6:24:09 HIDS vs NIDS
6:25:25 Espionage & Sabotage
6:26:24 Zero-day Exploits
6:27:26 Log Files
6:29:01 Monitoring - activity 6:09:22 negative activity
6:30:33 Audit Trails
6:32:36 Sampling vs Statistical Sampling vs Clipping
6:33:31 Maintaining Accountability
6:34:27 Security Audits & Reviews - prevent violations employing 'least-privilege'
& 'need-to-know' principles, performed in the following programs & areas of:
6:35:40 Frequency of IT Security Audits
6:37:32 Auditing & ue Care
6:38:31 Controlling Access to Audit Reports
6:40:05 User Entitlements & Access Reviews
6:41:28 Audit Access Controls
6:43:20 Computer Crime
6:44:43 eDiscovery
6:46:10 Gathering info & preserving evidence requires possession, without
modification
6:47:12 Acquiring evidence(Alternatives to confiscating) - Voluntary Surrender,
subpoena, search warrant
6:48:21 Retaining Investigatory Data
6:49:44 Evidence - types, characteristics, qualities
6:52:00 Evidence admissibility - types - requirements
6:53:37 Collecting evidence
6:54:29 Natural Disasters 6:55:04 Man-made disasters
6:55:23 Disaster Recovery : Recovery Sites - Cold, warm, hot
6:55:54 Other sites - service bureau, mobile site, multiple sites
6:58:02 RPO & RTO
6:58:40 Mutual Assistance Agreements (MAA)
6:59:58 BCP
7:00:43 BCP Definitions - COOP, DRP, BRP, MTBF, MTTR, MTD
7:02:06 Goals of DR & BCP
7:03:01 5 types of DRP Tests - rea thru, structured walk thru, simulation,
parallel, full interruption
7:05:52 Terms related to DRP: Recovery Team(recover) & Salvage Team(restore)
7:06:19 Backup Strategies - Electronic Vaulting, Remote Journaling, Remote
Mirroring
7:07:03 Categories of Disruption - non-disaster, disaster, catastrophe
*Domain 8: Software Development Security *
7:08:50 DEVOPS/DEVSECOPS - Code Repositories 7:10:14 Code Libraries, 7:11:04
Runtime, 7:12:57 CI/CD
7:15:24 Configuration Management - SCM
7:17:19 Static & Dynamic App Security Testing
7:19:06 Basic Architecture of RDBS
7:23:58 Aggregation & Inference Attack
7:26:13 Types of Storage - Primary/real memory, Secondary storage, Virtual memory,
Virtual Storage, Random Access Storage, Sequential access storage, Volatile
Storage, Non volatile Storage
7:30:35 Machine Learning, Neural Networks, Expert Systems
7:31:17 System Development Modules - Agile, Waterfall, Spiral
7:36:30 Software Development Maturity Models - SW-CMM, IDEAL(implements many of the
SW-CMM attributes),
7:39:34 Change & Configuration Management - request, change & release control
7:40:47 Software Testing
7:42:01 Virus Propagation Techniques - file/Boot sector/macro infection, Service
injection
7:43:09 Antivirus Software
7:44:32 Techniques to compromise Password Security - password crackers, dictionary
attacks, social engineering, rootkit(escalation of privilege)
7:47:07 Application Attacks (that exploit poorly written software) - Buffer
overflow, Backdoor, TOCTTOU, rootkit (escalation of privilege)
7:48:42 Web Application Vulnerabilities - used to compromise front/back-end
vulnerabilities - XSS, SQL injection attacks
7:50:10 Network Reconnaisance Techniques (used by attackers preparing to attack
network) - IP Probes, Port Scans, Vulnerability Scans
7:51:32 Protection Rings (aka hierarchical protection domains) are mechanisms that
safeguard data & functionality against fault & malicious behaviour (each ring
stands for a hierarchy ranging from most privileged that is most trusted to least
privileged which is least trusted) - Eg Ring 0 would be Kernel, Ring 1 is evice
drivers, Ring 3 for applications.
On most operating systems, Ring 0 is the level with the most privileges and
interacts most directly with the physical hardware such as the CPU and memory.
Programs such as web browsers running in higher numbered rings must request access
to the network, a resource restricted to a lower numbered ring.
7:51:49 Special call gates between rings provide an outer ring to access an inner
ring's resources in a predefined manner, as opposed to allowing arbitrary usage.
7:52:09 Software Development Life Cycle
7:53:07 Concentric Circle Security
7:54:34 Security Impact of a Acquired Sotware - OS, App, Shrink Wrap Code,
Misconfiguration