HiLCoE

CS687
Information Systems
Security
HiLCoE School of CS & Technology
Outline
01
Introduction to ISS

02 Security threats and attack

vectors
03 Malware: Student’s independent
work
04
Cryptography: Recording only
Outline …
05
Authentication: Recording Only

06 Authorization/Access Control

07
Network Security

08
Firewall: Recording only, no assessment
 Not Included in this Course

Web/Application Security “Secure Code Writing”

Intrusion Detection & Prevention Digital Forensics / Incident Response

Hacking Techniques Cloud Security, etc

Introduction to ISS
 Topics in this Chapter

Risk management approach to security Controls / Safeguards

Assets, Threats & Vulnerabilities Vulnerability assessment,

Penetration testing

Security goals IT security policy, standards,

certification
 The Right Questions

What controls/safeguards are needed

01 What assets to protect? 04 to counter those threats?
(risk mitigation)

How (badly) are those assets

02 threatened? (impact analysis)
How effective are the controls put in
05 place? (in terms of purpose and cost)

03 How often could a threat occur?

 Risk Management

Risk Identification

Refine Risk Assessment

Analysis: likelihood & impact,
Evaluation: prioritization in terms of
budget, criticality, etc

Monitor Risk Treatment (mitigation)

NIST: > 1100 controls
ISO27001: 114 controls
 Risk
There are numerous definitions!

“ The likelihood of a given threat exploiting the

vulnerability of an asset (or assets) to cause
“
harm or loss to the organization.

Risk = Assets x Vulnerabilities x Threats

Fire = Fuel x Heat x Air

Contents
 Risk Assessment

01 02 03 04 05
Time Consuming

Expensive

Quantitative

Qualitative

Regular/Cyclical
Cyclical
The rapid growth of
changes in IT and thus in
assets and correspondin
g threats and controls
makes RA a cyclic
process and discourages
many in the industry.
Risk Assessment &Treatment (ISO27001/2)

Asset identification and valuation Determine the potential loss to

01 04 the organization

Identification of threats & vulnerabilities Identify and evaluate risk treatment

02 05 options

Determination of the likelihood Selection of security controls (safe

of the threats and frequency guards) or acceptance of risks
03 06
Risk Treatment: Security Controls (NIST)
Some NIST security controls out of 1100+.

AC: CA:

01 Account Management | Restricti 04 Penetration Testing

ons on Use of Shared and Group
Accounts
CM:
AT:
02 Literacy Training and Awareness 05 Software Usage Restrictions

AU: IR:
03 Event Logging 06 Incident Handling
 Risk Treatment

Avoid Transfer

A B

C D

Mitigate Accept
 Residual Risk
A risk that an organization is willing to accept due to one or more of the
following reasons:

The risk treatment is too

01 expensive or simply unavailable

The risk is considered to be

02 infrequent enough or its impact is
tolerable
 Organizational Assets

“ An asset is anything that needs to be protected

because it has value to the organization and
“
contributes to the successful attainment of the
organization’s objectives.
 Assets
Hardware
Communication
01 Computers, Laptop, phones,
switches, routers, peripherals, 04 Lan, Wan, Dial-up, Wireless,
network accessories, load balancers, Satellite, Infrared, Radio, etc
firewall, access point, storage media,

People
Software
02 OS, android os, ios, DBMS, 05 CEO, CIO, Teller, Clerk, Director,
Manager, Secretary, Security Guard,
applications, email servers, web Janitor, etc
servers, etc

Data (information) Miscellaneous

03 Printed out or written on paper, Sent/Received 06 Server room, Office building, Logo,
via email, Stored on databases, transmitted
across networks, stored on tapes or disks, Goodwill, etc
spoken in conversations, held on films and
microfiche, Any other method used to convey
knowledge and ideas,
etc
 Threats

“ A potential cause of an unwanted incident which

may result in harm to a system or organization.
“
 Major Classes of Threats

Disclosure Disruption
Unauthorized access to
Interruption or prevention of
information. A B correct operation.
(Interception, Listening,
(Interruption, Corruption,
Wiretapping, Inference, etc)
Obstruction)
C
Deception
Falsification, Masquerade,
Modification, Repudiation
 … Commonly Known By

Impersonation / Masquerade Unauthorized disclosure of data

01 (Deception) 04 (Data Disclosure)

Unauthorized modification Unauthorized disclosure of traffic

02 (Deception) 05 (Traffic Disclosure)

Repudiation (Deception) Denial of Service – DoS

03 06 (Disruption)
• Malware (virus, worm, )
• Password breaking
• SYN flooding
• Spoofing
• Phishing
• Sniffing
• Masquerade
• Illegal use of software
• Traffic analysis
• Man-in-the-middle
• Spam
• Buffer overflow
• ICMP flooding
•
Cross site scripting Attack
• SQL injection
• Zero-day attack Vectors
• Social engineering
• Power failure
• Earthquake
• Fire
• Theft/Robbery
• etc
 Agents Motives
• Hackers • Fun/Hobby
• Crackers • Fame Threat
• Hacktivists • Information
• Insiders • Vengeance
Agents
• Competitors • Money &
• Cyber-criminals • Politics
• Cyber-spies • Terrorism Motives
• Cyber-terrorists • Etc
• State actors
• Script kiddies, etc
 Vulnerability

“ A weakness within an asset or a group of assets (or

a system) which can potentially be exploited by a
“
threat.
• Poorly configured system/software
• Inappropriate access rights
• Unpatched systems
• Flaws or bugs in software
• Flaws in the system or software
• Back doors
• String boundary checks
• Poor password management
• Duration of password
• Strength of password
• Single password on multiple systems
• Lack of effective change control
• Separation of duty
• Rotation of duty
• Patch management
• Version management
• Absence of personnel
• Lack of security awareness Some
• Poorly documented software
• Lack of policies Vulnerabilities
• Allowing unauthorized installation of software
 Vulnerability Identification Standardization Efforts
Common vulnerabilities and exposures (CVE) – defines a specific vulnerability by which an
attack may occur.

Common Weakness Enumeration (CWE): community-developed list of

software and hardware weaknesses with detailed descriptions and
authoritative guidance.

Common configuration enumeration (CCE) – a list of system security configuration issues that
can be used to develop configuration guidance.

Common platform enumeration (CPE) – standardized methods of describing and identifying

classes of applications, operating systems, and devices within an organization. CPEs are used
to describe what a CVE or CCE applies to.

Common vulnerability scoring system (CVSS) – a scoring system that assign severity scores to
each defined vulnerability and is used to prioritize remediation efforts and resources according to the
threat.
 CVE – Example
https://www.cvedetails.com/vulnerability-list/year-2022/month-1/January.html

CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Access Complexity

CVE-2022-23808 79 XSS 1/22/2022 1/31/2022 4.3 Remote Medium

An issue was discovered in phpMyAdmin 5.1 before 5.1.2.

An attacker can inject malicious code into aspects of the
setup script, which can allow XSS or HTML injection.
 CVE – January 2022 (Partial)
https://www.cvedetails.com/vulnerability-list/year-2022/month-1/January.html

# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication

1 CVE-2022-24266 89 Sql 1/31/2022 2/3/2022 7.8None Remote Low Not required

2 CVE-2022-24265 89 Sql 1/31/2022 2/3/2022 7.8None Remote Low Not required

3 CVE-2022-24264 89 Sql 1/31/2022 2/3/2022 7.8None Remote Low Not required

4 CVE-2022-24263 89 Sql 1/31/2022 2/11/2022 7.5None Remote Low Not required

5 CVE-2022-24130 120 Overflow 1/31/2022 2/16/2022 2.6None Remote High Not required

6 CVE-2022-24124 89 Sql 1/29/2022 2/4/2022 5None Remote Low Not required

7 CVE-2022-24123 79 Exec Code XSS 1/29/2022 2/4/2022 6.8None Remote Medium Not required

8 CVE-2022-24122 416 1/29/2022 2/6/2022 6.9None Local Medium Not required

9 CVE-2022-24071 1/28/2022 2/2/2022 4.3None Remote Medium Not required

10 CVE-2022-24032 668 1/30/2022 2/4/2022 5None Remote Low Not required

11 CVE-2022-23993 1/26/2022 2/4/2022 7.5None Remote Low Not required

12CVE-2022-23990 190 Overflow 1/26/2022 2/14/2022 7.5None Remote Low Not required

13 CVE-2022-23979 79 XSS 1/28/2022 2/2/2022 3.5None Remote Medium ???

14 CVE-2022-23968 835 DoS 1/26/2022 2/3/2022 7.8None Remote Low Not required

15 CVE-2022-23967 787 Exec Code Overflow 1/26/2022 2/2/2022 7.5None Remote Low Not required

16CVE-2022-23959 444 1/26/2022 2/16/2022 6.4None Remote Low Not required

17 CVE-2022-23945 306 1/25/2022 2/1/2022 5None Remote Low Not required

18 CVE-2022-23944 306 1/25/2022 2/1/2022 6.4None Remote Low Not required

19 CVE-2022-23935 1/25/2022 1/28/2022 7.5None Remote Low Not required

20 CVE-2022-23889 674 1/28/2022 2/3/2022 5None

 CWE – Top 25 (Only 10 displayed)
https://cwe.mitre.org/data/index.html

Rank ID Name Score 2020 Rank Change

[1] CWE-787 Out-of-bounds Write 65.93 1

[2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 46.84 -1

[3] CWE-125 Out-of-bounds Read 24.9 1

[4] CWE-20 Improper Input Validation 20.47 -1

Improper Neutralization of Special Elements used in an OS Command ('OS Comman

[5] CWE-78 19.55 5
d Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injectio
[6] CWE-89 19.54 0
n')

[7] CWE-416 Use After Free 16.83 1

[8] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.69 4

[9] CWE-352 Cross-Site Request Forgery (CSRF) 14.46 0

[10] CWE-434 Unrestricted Upload of File with Dangerous Type 8.45 5

 CCE – Examples
https://ncp.nist.gov/cce/index

CCE ID CCE Description CCE Technical Mechanism CCE Parameters

(1) login_name
(2) enable/disable
CCE-20013-9 Application object owner accounts for a specified database should be enabled or disabled as appropriate. (1) ALTER LOGIN (3) default_database
(1)From the query prompt:
USE [database name]
SELECT DISTINCT u.name
FROM sysusers u, sysobjects o
WHERE u.uid = o.uid (1) set of accounts
CCE-19816-8 Application object owner accounts for a specified database should be configured appropriately. AND u.uid NOT IN ('1', '3', '4') (2) database name
(1) USE [database name]
SELECT USER_NAME(uid), name, crdate (1) list of permissons
Database application permissions allowing DDL statements to modify the application schema for a specified dat FROM sysobjects (2) set of accounts
CCE-19517-2 abase should be configured appropriately. WHERE uid NOT IN (1, 3, 4) (3) database name

(1) [procedure name]

Custom and GOTS application source code for a specified databased should be encrypted or not encrypted as a (2) WITH ENCRYPTION
ppropriate. (3) Custom/GOTS procedures
CCE-19448-0 (1) ALTER PROCEDURE (4) Database Name
(1) list of permissons
(2) [object]
(3) [user name]
CCE-19649-3 Permissions on system tables for a specified database should be configured appropriately (1) REVOKE / GRANT (4) [database name]
(1) CREATE
(2) ALTER (1) set of accounts
DDL permissions for a specified database and specified account should be configured appropriately (3) DROP (2) list of permissions
CCE-19926-5 (1) REVOKE/GRANT CONTROL (3) database name
(1) list of permissons
(2) [object]
Permissions using the WITH GRANT OPTION for a specified database should be configured appropriately (3) [user name]
CCE-19822-6 (1) REVOKE / GRANT (4) [database name]
(1) list of permissons
(2) [object]
Object permissions assigned to PUBLIC or GUEST for a specified database should be configured appropriately. (3) [public or guest]
CCE-19220-3 (1) REVOKE / GRANT (4) dtaabase name

(1) set of accounts

CCE-19886-1 Access to DBMS software files and directories should be configured appropriately. (1) defined by the object's DACL (2) list of permissions

Default demonstration and sample database objects and applications should be available or removed as approp (1) database_name
CCE-19147-8 riate. (1) DROP DATABASE (2) database_snapshot_name

CCE-19909-1 Required auditing parameters for database auditing should be set appropriately (1) EXEC SP_TRACE_SETSTATUS (1) TraceID

DBMS privileges to restore database data or other DBMS configurations, features or objects in a specified datab (1) database name
CCE-19687-3 ase should be configured appropriately. (1) Use the SQL command to assign permissions to the appropriate roles
 CPE – Format
https://nvd.nist.gov/products/cpe

• A CPE name is a URL that encodes seven ordered fields:

• cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>

• The <part> field can take on only three values: a for applications, h for hardware platforms, o
for operating systems.

• Example:
• cpe:/a:microsoft:sql_server:6.5 ➔ an application
• cpe:/h:asus:rt-n16 ➔ a hardware
• cpe:/o:freebsd:freebsd:3.5.1 ➔ an operating system
 Exercise

while (1)
mkdir x; DoS
cd x;
end Attack

• What is the effect of the above code snippet?

• What vulnerability of a system allows such an attack?
• What existing OS do have the above vulnerability?
• What existing OS do have a mechanism to counter s
uch an attack?
 Solution
What is the effect of the above code snippet?
(if the OS let it run) it will continue to create a hierarchy of new directories until
the available disk space is exhausted. This is a simple and effective “Denial of DoS
Service” attack.
What vulnerability of a system allows such an attack? Attack
The vulnerability of such an OS is that it does not limit the amount of disk spaces
that can be utilized by a user.
What existing OS do have the above vulnerability? Older Windows, Unix, etc
What possible solution you may suggest to counter such an attack:
Put in place a mechanism that limits the amount of space a user may occupy.
What existing OS do have a mechanism to counter such an attack?
• ‘Disk quotas’ in Windows 2000 and later: limit the amount of disk space
a user (not a user group) can use on a particular volume.
• ‘Directory quotas’ in Windows 2008 and later: limit the amount of disk
space users can use in a particular folder and its subfolders.
• ‘Disk quotas’ in Linux: can be configured for individual users as well as
user groups.
Vulnerability Management

Vulnerability management is the

process of identifying, categorizing
, prioritizing, and resolving
vulnerabilities in the assets of an
organization
 (Asses) Vulnerability Assessment
• Vulnerability assessment is discovering weaknesses (=vulnerabilities)
within a target organization.

• The weaknesses are usually listed in order of severity which itself is

customizable to fit target environments.

• The vulnerability scanning tools do not usually link the weaknesses

with real and concrete threats or exploits (unlike pen-testing).
 VA – Sample Outputs
OPERATING SY
IP HOSTNAME LAST SCAN VULN TITLE SVR PORT PROT STEM CVEID
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*153.8.65 [deleted for privacy] 11-08-15 20:07 LE) M 443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.190 [deleted for privacy] 12-08-15 12:37 LE) M 443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.191 [deleted for privacy] 12-08-15 12:37 LE) M 443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.192 [deleted for privacy] 16-07-15 18:25 LE) M 443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.8.190 [deleted for privacy] 12-08-15 12:37 LE) M 4443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.8.191 [deleted for privacy] 12-08-15 12:37 LE) M 4443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.190 [deleted for privacy] 12-08-15 12:37 LE) M 4443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.191 [deleted for privacy] 12-08-15 12:37 LE) M 4443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.192 [deleted for privacy] 16-07-15 18:25 LE) M 4443tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.8.184 [deleted for privacy] 11-08-15 20:53 LE) M 7184tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.8.181 [deleted for privacy] 11-08-15 20:06 LE) M 8180tcp 6.x / Linux 2.6 CVE-2014-3566
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POOD Ubuntu / Linux 2.
*.153.12.181 [deleted for privacy] 11-08-15 20:06 LE) M 8180tcp 6.x / Linux 2.6 CVE-2014-3566
 VA Tools

Nessus OpenVas (Nessus)

Qualys Nmap
A B Nikto/Wikto
MBSA (No more supported)
C D …

Rapid 7 BurpeSuite
TripWire
Goals of Security

The protection afforde

d to an automated info
rmation system in ord
er to attain the applica
ble objectives of prese
rving the confidentialit
y, integrity and availab
ility of information syst
em resources [Stalling
& Brown].
 Confidentiality – Data
Concealment of information from unauthorised
entities.
• Data at rest (storage)
• Data in process (memory)
• Data in transit
• Data in presentation (display)
Example of confidential information
Employee records
Bank account info
Patients medical records
Students grade
Government classified documents
 Confidentiality – Traffic

Concealing the nature of communication such

as:
• The actors (addresses) of communication
• Source & Destination
• The frequency of communication
• The volume of communication
• The time of communication
• etc
 Confidentiality – Resource Hiding

Concealing the existence of certain

resources:
Organizations often conceal their network
architecture and existence or nature of
servers behind a firewall or a proxy server
(to thwart hackers).
 Integrity
Data integrity
Refers to the credibility or authenticity of data. It caters
for threats such as unauthorised data modification.

Data origin integrity (also called data origin authentication)

This is about the source of the data. It caters for threats
such as masquerade or impersonation.

System integrity
Refers to the proper function of a system according to
stated specification. This goal caters for threats such as
viruses, buffer overflow, etc.
 Availability

Refers to the availability of resources or services whenever

needed subject to security clearance.

It caters for one of the most difficult category of threats

termed “Denial of Service” (Disruption) attack.
Security Controls

Protect against a threat

Reduce a vulnerability

Limit the impact of an unwanted

incident

Detect succeeded incidents (post

attack)

Facilitate recovery (post attack)

 Classification of Controls (1)

Management Technical
Security programs, security Login, Encryption,
policy, guidelines, Authentication protocol, Access co
standards, risk A B ntrol, Firewall, Intrusion
Assessment, … detection system, …

C D

Operational Physical/Environmental
Backup/Restore, Monitor audit
Fences, CCTV, ID badge, dogs,
Trials, Account/privilege
fire alarms, fire sprinklers, …
Management, Monitoring and
adjusting firewall, Media disposal,
Patching, Awareness training, …
 Classification of Controls (2)

Preventive Controls Directive Controls

01 Authentication, access control,
firewall, IPS, encryption, patch 04 Security policy & employee
obligation, training & awareness, …
management, …

Detective Controls Deterrence Controls

02 AV, IDS, forensics, logging and
auditing, … 05 Cyber criminal law, active monitoring
, CCTV, …

Responsive Controls Predictive Controls

03 Incidence response, containment,
eradication, recovery, …
06 AI or machine learning application
on security.
 Penetration Testing (Pentesting)
• Penetration tests attempt to identify and exploit the
vulnerabilities in a system

• Penetration testing is the process of attempting to gain

access to resources without knowledge of usernames,
passwords and other legit means of access
(SANS Institute)

➔ if the pentesting is successful, then proof of access

to protected resources must be shown (such as con
fidential doc, change to important resources such a
s config files, etc)
 Pentesting …

• Unlike vulnerability assessment, pentesting is not only

about identifying potentially exploitable weaknesses of a
system, it is about demonstrating real attacks.

• Penetration tests find exploitable flaws and measure the

severity of each.
 Pentesting …

• A penetration tester differs from an attacker not in the

methodology used but rather in the intention of the act

• A pentester need to have a written authorized

permission to do so.

• The pentester will report the findings to the owner of the

resource.
 Pentesting Tools

• Kali Linux [Metasploit]

• Backtrack (now is Kali Linux)

• CoreImpact (Also vuln ass tool)

• BurpSuite (Web app pen testing)

• And many more (GitHub)

 VA vs PT

Vulnerability Ass. Pentesting

1 Identify weaknesses Attempts to gain access by exploiting

weaknesses

2 Performed quite frequently Performed less frequently (quarterly,

(Weekly, bi-weekly, etc) half-yearly, yearly)
Defense in Depth
 Security Policy

“
“If you think technology can solve your
security problems, then you don’t understan
“
d the problems and you don’t understand
the technology”
Security Policy …

A high-level management document

that describes the management’s
expectation of the employees’
security practice and responsibilities.

It sets a clear direction and demonstrate

the management’s support for and
commitment to information security.
 Security Policy (Example)
Email Use Policy
The email system is provided to assist employees in the performance of their
jobs and its use should be limited for official company business.

However, incidental and occasional personal use of email is permitted

The company reserves the right to purge identifiable personal email to preserve the integrity of
email systems.

The email shall not be used in a way that may be interpreted as insulting, disruptive or offensive
by any other person or company.

Example of prohibited material include: Sexual explicit messages, images, cartoons, or jokes; un
welcome propositions, requests for dates or love letters; ethnic, racial or religious slurs;

All email sent or received will be logged and when considered appropriate by the company, it
may be opened and read by duly authorized officer.
 IT Security Standards
• Normalize/harmonize information security programs

• Provide common frameworks, languages across different organ

izations

• Set government or industry compliances/regulations

• Structure information security programs

• Harmonizes skill sets

• Enable information to be shared between organizations

• Help organizations focus on the most important elements of sec

urity
 IT Security Standards
• ISO 27001/2 (ISO 17799 - Code of practice) /3/4/5 ….
• X.800 (Security Architecture for OSI)
• X.509
• PCI DSS (payment card industry data security std)
• NIST (FIPS) – www.nist.org
• ENISA (??)
• Sarbanes Oxley - SoX
• HIPAA -
• COBIT
 ▶ 4:48

Security Certification
▶ 4:48

• CISSP: Certified Information Systems Security Professional ((ISC)²)

• CEH: Certified Ethical Hacker (EC-Council)
• CCSP: Certified Cloud Security Professional ( (ISC)²)
• AWS CSA, AWS (Speciality Security)
• Azure: ….
• SSCP: Systems Security Certified Practitioner ((ISC)²)
• CISM: Certified Information Security Manager (ISACA)
• CISA: Certified Information Systems Auditor (ISACA)
• GCIH: GIAC Certified Incident Handler (GIAC – SANS Security)
• GCFA: GIAC Certified Forensics Analyst (GIAC – SANS Security)
• CompTIA Security +
• CCSA: Check Point Certified Security Administrator (Checkpoint)
• CCSE: Check Point Certified Security Expert (Check Point)
• CCNA Security
• CCNP Security
• prepare for PCNSE6 certification. (Some ...
• PCNSE6: Palo Alto Networks Certified Network Security Engineer 6.0 (PA)
 ▶ 4:48

CISSP: The 8 domains

▶ 4:48

1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business
Continuity)
2. Asset Security (Protecting Security of Assets)
3. Security Engineering (Engineering and Management of Security)
4. Communication and Network Security (Designing and Protecting Network Security)
5. Identity and Access Management (Controlling Access and Managing Identity)
6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
7. Security Operations (Foundational Concepts, Investigations, Incident Management, and Disas
ter Recovery)
8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
 ▶ 4:48

Security and Risk Management

▶ 4:48

• Confidentiality, integrity, and availability concepts

• Security governance principles

• Compliance

• Legal and regulatory issues

• Professional ethic

• Security policies, standards, procedures and guidelines

 ▶ 4:48

Asset Security
▶ 4:48

• Information and asset classification

• Ownership (e.g. data owners, system owners)

• Protect privacy

• Appropriate retention

• Data security controls

• Handling requirements (e.g. markings, labels, storage)

 ▶ 4:48

Security Engineering
▶ 4:48

• Engineering processes using secure design principles

• Security models fundamental concepts
• Security evaluation models
• Security capabilities of information systems
• Security architectures, designs, and solution elements vulnerabilities
• Web-based systems vulnerabilities
• Mobile systems vulnerabilities
• Embedded devices and cyber-physical systems vulnerabilities
• Cryptography
• Site and facility design secure principles
• Physical security
 ▶ 4:48

Communication and Network Security

▶ 4:48

• Secure network architecture design

(e.g. DMZ, Firewall, IDS-IPS, Segmentation)

• Secure network components

• Secure communication channels

• Network attacks
 ▶ 4:48

Identity and Access Management

▶ 4:48

• Physical and logical assets control

• Identification and authentication of people and devices

• Identity as a service (e.g. cloud identity)

• Third-party identity services (e.g. on-premise)

• Access control attacks

• Identity and access provisioning lifecycle (e.g. provisioning review)

 ▶ 4:48

Security Assessment and Testing

▶ 4:48

• Assessment and test strategies

• Security process data (e.g. management and operational controls)

• Security control testing

• Test outputs (e.g. automated, manual)

• Security architectures vulnerabilities

 ▶ 4:48

Security Operations
▶ 4:48

• Investigations support and • Recovery strategies

requirements • Disaster recovery processes and plans
• Logging and monitoring activities • Business continuity planning and
• Provisioning of resources exercises
• Foundational security operations • Physical security
concepts • Personnel safety concerns
• Resource protection techniques
• Incident management
• Preventative measures
• Patch and vulnerability management
• Change management processes
 ▶ 4:48

Software Development Security

▶ 4:48

• Security in the software development lifecycle

• Development environment security controls

• Software security effectiveness

• Acquired software security impact

End of Chapter 1