Upload File

cissp week 12

Download CISSP Week 12

If you can't read please download the document

Upload: jemtallon

Post on 16-Apr-2017

1.104 views

Category:

Education


1 download

Report

TRANSCRIPT

CISSP Training

Pages 566-631

Tim JensenStaridLabs

Security Awareness Training

Designed to tell why a policy exists

Show practical examples and ways to identify threats

Turn employees into human security sensors

Topics

Corporate security policies

Organization's security program

Regulatory compliance requirements for the organization

Social Engineering

Business continuity

Disaster Recovery

Topics Cont'd

Emergency Management (hazmat, biohaz, etc)

Security incident response

Data classification

Information labeling and handling

Personnel security, safety, and soundness

Physical Security

Topics Still Cont'd

Appropriate computing resource use

Proper care and handling of security credentials (usernames, passwords)

Risk assessment

Accidents, errors, or omissions

Teaching why policy is necessary

Show real world examples of security failures that could have been fixed with policy

Security teams identify risks to the company and create policies to mitigate just the risks present. Without policy every risk would have mitigation even if the risk didn't apply to the company/department

Why are security policies important

The end goal of security policies is to protect:The organization

The employees

The Assets of the company

(It's customers when possible)

Questions to answer in training

How does all this security stuff affect my job at the company?

Do I have to do it?

If I don't do it, what are you going to do?

All this security crap is just going to waste time and make my job harder!

What should I be looking for?

Awareness Activities

Formal training courses

Posters

Business unit walk throughs

Security articles/reminders on intranet

Appointment of a 'security awareness mentor'

Security Awareness Day activies, prizes, recognition for winners

Sponsor event with security organization (ISSA, ISACA, SANS, ISC2, Infragard, etc)

Provide trinkets for the users within the organization that support security management principles

Promote Security Awareness Week/month

Provide security reference materials to employees (books, videos, websites)

Job Training

Employees should be professionally trained on the systems/processes they manage.

Lack of training leads to misconfigurations or process gaps which can lead to compromise

It's the sign of a good employee to self learn. It's the sign of bad management to blindly trust that the employee is doing so.

Vendor neutral vs vendor certifications

Performance Metrics

Consistent metrics allow for the identification of security gaps, identify is process improvements helped or hurt, and identify non-compliance

Can be walkthroughs, quizes, or etc

Managing the Security Function
IS Security Officers

The Information Security Officer is accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability.

The security officer typically doesn't have the resources available to perform all of these functions and must depend on involvement from other departments/individuals

Must keep up with emerging technologies and risks

Security officers often operate CIRT teams

Provides the leadership for the information security awareness program by ensuring that the program is delivered in a meaningful, understandable way to the intended audience.

Bridging IT with Executives

IS Security Officers translate threats based on configuration/technoligies into:What is the real perceived threat?

What is the risk (impact/probability)

What is the cost of the safeguard?

What will be the residual risk?

How long will the project take (time, money, people, systems)

Reporting

Security officer should report as high in the organization as possible to:Maintain visibility of the importance of security

Limit the distortion or inaccurate translation of the message

Budget

Security maintains it's own budget as well as ensures each applicable department's budget contains funds for security training/remediation

Work Metrics

Automated metric systems should be implimented to rate the day to day security and long term trends.Helpdesk tickets/hour/day

Inbound email/hour/day

Outbound email/hour/day

Inbound connections at border firewallPackets dropped at border firewall

Packets dropped at internal firewall

Employee hours spent on compliance reporting

Report metrics how effective is each report? Has it ever caught anything?

Interdepartmental resources

Buy doughnuts for:System Admins

Database Admins

Network Admins

Privacy Officers

Compliance Officers

Legal

Law Enforcement

QA testers

Helpdesk

Budget Officers

Procurement Specialists

Business Analysts

Administrative Professionals

Enterprise Architects

Software Developers

Strategic Planning

Make 3-5 year plans

Review annually or before

Tactical Plans

6-18 month plans for specific purposes: reducing vulnerabilities, etc

Review Security Program

Anaully review security program for completeness and to identify gaps

Domain 4

Software Development Security

Jem JensenStaridLabs

Overview

Planning, programming, and management of software systems

Includes both operating systems and applications

Software is layered, kind of like networkingHardware, drivers, OS, utilities and applications

Software Development Life Cycle

SDLC is is project management process used to plan, execute, and control a software development project

Can differ from project to project

Specific model should best fit the project

Basic SDLC Phases

Project initiation and planning

Functional requirements definition

System design specifications

Development and implementation

Documentation and common program controls

Acceptance

Testing and evaluation control

Transition to production

Project initiation and planning

Vision, goal

Proposed technical solution

Documentation: charter, scopeInclude objectives, strategy, costs, time estimates, milestones

Usually ends with management signoff on charter and/or scope

Project initiation and planning

Security professional mental checklist:Is particular info sensitive? (alone or together)

Has info owner determined the info value?

Classifications/Categories?

Is there a risk of sensitive info exposure?

Will data be transmitted or stored in public?

Are controlled areas required?

What systems interconnect with this?

How will this affect the org culture?

Could the company become dependent upon it?

Functional requirements definition

Define end-user needs

Formalize security requirements

Often rolled-into project initiation phase for small projects

System design specifications

Design:System architecture

System outputs

System interface

Security features

Generally based on over-all architecture for the company

Development and implementation

Generate:Source code

Test cases

Perform unit tests and functional tests

Perform vulnerability analysis on code

Documentation and common program controls

Controls for editing data within the program

What types of logging the program does

How program versions should be stored

Tests and integrity checks

Acceptance

Ideally, an independent group develops test data and tests the code

Should simulate live environment for good tests

Ensure the application meets security requirements and specifications

Testing and Evaluation Controls

Test data should include:Data at the ends of acceptable ranges

Data beyond acceptable bounds

Various data points between acceptable range

Random data

Data validations review data before and after each test to ensure data has not been changed inadvertently

Bounds checking

Testing and Evaluation Controls

Never use production dataSanitize test data

Test all changes

Management should be informed and sign off on testing results

Transition to Production

Train new users

Implement the systemInstallation

Data conversions (if needed)

Parallel operations (to reduce disruption)

Revisions

Regular evaluation and audits

Should incorporate security planning to avoid future problems

Document failuresHelps to justify future enhancements

Maturity Models

CMMCapability Maturity Model

Framework to product higher quality software products

Continual optimization of processes

ISO 9000?

Operation and Maintenance

Monitor performance of the system

Detect defects and weaknesses

Verify changes don't impact existing functionality or circumvent security measures

Change Management

Track changes in software and systems to prevent unintended or unauthorized changes

Should be a formal cycle with planning, approval, testing, and documentation

Patch management

Should include testing and rollback features


CISSP Planning Kit - [SAFEWAY]safewayconsultoria.com/wp-content/uploads/2017/06/global-cissp... · CISSP ® Planning Kit. Have questions? ... CISSP Study Guide, 7th Edition CISSP

CISSP MindMap

Reasons to Become CISSP Certified Keith A. Watson, CISSP CERIAS

Cissp Week

Pass4sure CISSP

CISSP Overview

CISSP For Dummies Chapter 10 Security Operations Last updated 11-26-12

Windows 2008 Active Directory Configuration – Week 4 of 6 Microsoft Test: 70-640 Mark McCoy MCSE, CNE, CISSP

Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

Information Technology Management (ITM101) Week 01: Introduction Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

A+ Certification Study Group – Week 8 Mark McCoy MCSE, CNE, CISSP

CISSP CurriculumCurriculum CISSP 2018 CISSP Certified Information Systems Security Professional Version 1.0

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP

CISSP Week 7

CISSP For Dummies Chapter 8 Cryptography Last updated 11-26-12

CISSP Week 16

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

Operations Security Lisa M. True, CISSP January 12, 2004 Domain 7

CISSP Week 5

CISSP® TRAINING SEMINAR REGISTRATION FORMakati.com/cissp/016-10_ACL-MY-CISSP-REG-FORM.pdf · ACL/CISSP/01610/REGFORM Page 1 of 2 10-14 October 2016, CISSP Kuala Lumpur 17-21 October

CISSP: Certified Information Systems Security Professional ... Materials/CISSP/cissp Examnotes.pdf · Study guide by ExamNotes.net CISSP: Certified Information Systems Security Professional

Approfondimenti sui Microsoft Security Bulletin di novembre 2004 12 novembre 2004 Feliciano Intini, CISSP Fabrizio Dal Passo, CISSP Security Advisor Premier

GUIDE TOTHE CISSP*CBK - Verbundzentrale des · PDF fileOFFICIAL(ISCf GUIDETOTHE CISSP*CBK THIRD EDITION Edited by HaroldF.Tipton-CISSP-ISSAP,ISSMP StevenHernandez-CISSP,CAP,SSCP,CSSLP

CISSP For Dummies Chapter 12 Legal, Regulations, Investigations, and Compliance Last updated 11-26-12

CISSP Week 9

Mastering Network Security (MNS101) Week 01: Introduction & Survivability Discussion Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

CISSP Week 22

CISSP Week 18

CISSP Week 14

CISSP Week 20

[eBook][Computer][Security][CISSP]CISSP Telecom and Network

CISSP week 26

CISSP Study Group - Greater Minneapolis · CISSP Study Group Communications and Network Security Presented by Duane Harrington CISSP #27890

CISSP Study Notes from CISSP Prep Guide - Edy Susanto · 1 CISSP Study Notes from CISSP Prep Guide These notes were prepared from the The CISSP Prep Guide: Mastering the Ten Domains

CISSP® TRAINING SEMINAR - AKATIakati.com/cissp/2017-APRIL-CISSP-REG-FORM.pdf · ACL/CISSP/01701/REGFORM Page 1 of 2 April 2017, CISSP Kuala Lumpur CISSP® TRAINING SEMINAR