Scribd Logo
Upload

Welcome to Scribd!

  • 2022 ITM Short Course - Week 4

    Uploaded by

    kasun kalhara
    38 views27 pages
    The document summarizes key topics for CISSP exam preparation, including the eight domains and recommended study materials. It provides an overview of security assessment and testing topics such as vulnerability assessments, penetration testing, and software development security best practices. Example assessment methods, frameworks, and the OWASP Top 10 vulnerabilities are outlined. Security operations concepts such as incident response plans, security operations centers, and cloud computing models are also briefly discussed.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document summarizes key topics for CISSP exam preparation, including the eight domains and recommended study materials. It provides an overview of security assessment and testing topics such as vulnerability assessments, penetration testing, and software development security best practices. Example assessment methods, frameworks, and the OWASP Top 10 vulnerabilities are outlined. Security operations concepts such as incident response plans, security operations centers, and cloud computing models are also briefly discussed.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    38 views27 pages

    2022 ITM Short Course - Week 4

    Uploaded by

    kasun kalhara
    The document summarizes key topics for CISSP exam preparation, including the eight domains and recommended study materials. It provides an overview of security assessment and testing topics such as vulnerability assessments, penetration testing, and software development security best practices. Example assessment methods, frameworks, and the OWASP Top 10 vulnerabilities are outlined. Security operations concepts such as incident response plans, security operations centers, and cloud computing models are also briefly discussed.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 27

    CISSP Study Session

    Attention Attendees:
    Remember to type your messages to all panellists and attendees
    CISSP domains
    • Domain 1 – Security and Risk Management
    • Domain 2 – Asset Security
    • Domain 3– Security Architecture and Engineering
    • Domain 4 – Communication and Network Security
    • Domain 5 – Identity and Access Management (IAM)
    • Domain 6 – Security Assessment and Testing
    • Domain 7 – Security Operations
    • Domain 8 – Software Development Security
    Recommended Text
    (ISC)2 CISSP Certified Information Systems Security
    Professional Official Study Guide, 9th Edition
    Mike Chapple, James Michael Stewart, Darril Gibson

    Official Wiley Link


    Domain 6 – Security Assessment & Testing
    Security Testing
    • Verifies that a control is functioning
    • Automated scans
    • Penetration tests (manual/tool-assisted)
    • Considered point-in-time
    • Should be ongoing based various factors
    • NIST SP 800-53A – best practices for security and privacy assessments
    Security Auditing
    • Internal
    • External
    • Third Party
    • AICPA SOC Audits
    • SOC1
    • SOC2 (Type I/II/III)
    • SOC3
    Vulnerability Assessments
    • Security Content Automation Protocol (SCAP)
    • Common Vulnerabilities and Exposire (CVE)
    • Common Vulnerability Scoring System (CVSS)
    • Common Configuration Enumeration (CCE)
    • Common Platform Enumeration (CPE)
    • Extensible Configuration Checklist Description Format (XCCDF)
    • Open Vulnerability and Assessment Language (OVAL)
    • Periodic vulnerability scans
    Network Discovery Scanning
    • TCP Syn Scanning
    • TCP Connect Scanning
    • TCP Ack Scanning
    • UDP Scanning
    • Xmas Scanning
    • Port state – Open/Closed/Filtered
    Penetration Testing
    • Process according to NIST
    • Planning
    • Information gathering and discovery
    • Attack
    • Reporting
    • Common Frameworks
    • Cyber Killchain (Lockheed Martin)
    • MITRE ATT&CK Framework
    • Types
    • White-box
    • Grey-box
    • Black-box
    Software Development
    • Secure Coding
    • Code Review
    • OWASP Top 10
    Software Development
    • Secure Coding
    • Code Review
    • OWASP Top 10
    • Injection
    • Broken Authentication
    • Sensitive Data Exposure
    • XML External Entities
    • Broken Access Control
    • Security Misconfiguration
    • Cross Site Scripting (XSS)
    • Insecure Deserialization
    • Using Components with Known Vulnerabilities
    • Insufficient Logging/Monitoring
    Domain 7 – Security Operations
    Security Operations
    • Need-to-know
    • Least-privilege / privileged accounts
    • Separation of duties
    • Job rotation
    • Mandatory Vacations
    • Service Level Agreements
    • Patch management
    • Managed Security Services
    • Security Operations Centre (SOC)
    • Change Management
    Media Security
    • Media management
    • Media protection
    Personnel Security
    • Travel
    • Security awareness training and education
    Managed Services
    • SaaS/IaaS/PaaS/etc.
    • Service Level Agreements (SLAs)
    • Agreements

    Chapple et al, 2021, p780


    Cloud
    • Public Cloud
    • Private Cloud
    • Hybrid Cloud
    • Community Cloud
    • Scalability & Elasticity

    Chapple et al, 2021, p780


    Incident Management
    • Incident Response Plans
    • Playbooks
    • Forensic Evidence
    • Chain of Custody
    Domain 8 – Software Development Security
    Development Lifecycles
    • Waterfall
    • Agile
    • Spiral
    Maturity Models
    • CMM
    • CMMI
    • IDEAL
    Capability Maturity Model

    Level 5
    Level 4 Optimised
    Level 3 Managed
    Level 2 Defined
    Level 1 Repeatable
    Initial

    Chapple et al, 2021, p780


    Security Testing
    • Same ‘white/grey/black’ box
    • APIs
    • OWASP Top 10
    • Code repositories
    • Libraries and third-party applications
    Readings
    • CISSP Official Study Guide (Ninth Edition) – Chapters 15-21.

    Attention Attendees:
    Remember to type your messages to all panellists and attendees
    Questions?
    About Me
    Dr. Georg Thomas
    Senior Manager, Deloitte Australia
    20+ years industry experience
    DInfoTech, MMgmt(InfoTech),
    BInfoTech(SysAdmin)
    CCISO, CDPSE, CISM, CISSP, ISO27001 Lead linkedin.com/in/georgthomas
    Implementer, GRCP, MACS Snr. CP (Cyber @georgathomas
    Security), MCSE scholar.google.com/citations?user=z72s_9
    ACS Profession Advisory Board Member MAAAAJ
    References
    • Chapple, M., Stewart, J. M., Gibson, D. (2021). (ISC)2 CISSP Certified Information
    Systems Security Professional Official Study Guide, 9th Edition. Wiley. 8
    • OWASP Top 10. https://owasp.org/www-project-top-ten/

    You might also like