Robert Chew's Knowledge Retention

Security is a chain; you are only as strong as the weakest link. CISSP uses the defence-in-depth analogy.

1. Security and Risk Management

The first domain builds upon the concepts of information security and risk management by applying principles of confidentiality, availability, and integrity of security governance and compliance.

Risk management is an integral part of security uses threat modelling against the acquisition and management of hardware, software, and service contracts to perform a risk analysis, countermeasure selection and implementation, risk monitoring, reporting, and risk frameworks.

2. Asset Security

The classification of information and ownership of information, systems, and business processes addresses the collection, handling, and protection of information throughout its lifecycle. This relates to data owners, processors, reminisce, and limitations on collection and storage.

Importantly the collection and storage of information must include data retention. Retention must be considered in light of organizational, legal, and regulatory requirements. Factors used in conjunction with this include baselines, scoping and tailoring, standards selection and cryptography, data handling requirements, data storage, labelling, and destruction.

3. Security Engineering

Security engineering considers the system architecture that delivers functionality yet protects against malicious acts, human error, hardware failure, and natural disasters. It involves the integration of security controls, behaviours, and capabilities into information systems and enterprise architecture.

The ability to implement and manage security engineering processes using secure design principles using security models and designing requirements based on organization requirements, security policies, controls, and countermeasures that satisfy those design requirements.

For example, designs might cover client and server-side vulnerabilities, database security, distributed systems, and cloud security, cryptographic systems and industrial controls, web application vulnerabilities, mobile devices, and embedded systems.

Protecting information through cryptographic concepts and systems, while in motion and at rest, is provided by using public key infrastructure, key management practices, digital signatures, and digital rights management. This ensures data integrity, confidentiality and authenticity against cryptanalytic attack vectors including social engineering, brute force, cypher-text only, known plaintext, frequency analysis, chosen cypher-text, and implementation attacks.

4. Communications and Network Security

A thorough understanding of designing and implementing network topologies, IP addressing, network segmentation, switching and routing, wireless networking, the OSI and TCP models and the TCP/IP protocol suite as the main contents of this domain encompass network architecture, transmission methods, transport protocols, control devices, and security measures used to maintain the confidentiality, integrity, and availability of information transmitted.

Finally, the ability to operate and secure switches, routers, wireless access points using cryptography and various related protocols are fundamental to using applications including data, voice, remote access, multimedia collaboration, and virtualized networks.

5. Identity and Access Management

Third-party cloud services that use identity services and access management will be extensively reviewed via the management and implementation of authorizations mechanisms used in the interaction between humans and information systems, of disparate information systems, and even between individual components of information systems. Compromising an identity or an access control system to gain unauthorized access to systems and information also happens to be the net goal of almost all attacks involving the confidentiality of data so it is an area where information security professionals should invest a considerable amount of time. Key topics will be identity management systems, single and multi-factor authentication, accountability, session management, registration and proofing, federated identity management, and credential management systems.

6. Security Assessment and Testing

The validation of assessment and test strategies are using vulnerability assessments, penetration testing, synthetic transactions, code review and testing, misuse case, and interface testing against policies and procedures that cover information assets and associated infrastructure using various tools and techniques for the purposes of identifying and mitigating risk due to architectural issues, design flaws, configuration errors, hardware and software vulnerabilities, coding errors, and any other weaknesses that may affect an information system’s ability to deliver its intended functionality in a secure manner.

The aim is to ensure that disaster recovery and business continuity plans are maintained, updated, and will function as intended in the event of a disaster. To this end, the security assessment and testing domain include topics in the collection of security process data, account management, management review, key performance and risk indicators, verification of backups, training, and awareness, and disaster recovery and business continuity.

7. Security Operations

This domain will cover various investigative concepts, including evidence collection and handling, documentation and reporting, investigative techniques, and digital forensics. Further, an understanding of investigation requirements from an operational, criminal, civil, and regulatory perspective is necessary.

The logging and monitoring mechanisms to support forensic investigations, logging, and monitoring provide visibility into the day to day operation of the information technology infrastructure will be reviewed especially when considering intrusion detection and prevention, security information and event monitoring systems, and data leakage protection.

Key technologies include firewalls, intrusion prevention systems, application whitelisting, anti-malware, honeypots, and sandboxing to assist with managing third party security contracts and services, patch, vulnerability, and change management processes.

An important aim of this domain is to plan for incident response and recovery, disaster recovery, and business continuity.

8. Software Development Security

Software development security involves the application of security concepts and best practices to production and development software environments.

A good understanding and capability of how to apply security to software development tools, source code weaknesses and vulnerabilities, configuration management as it relates to source code development, the security of code repositories, and the security of application programming interfaces which should be integrated into the software development lifecycle considering development methodologies, maturity models, operations and maintenance and change management as well as understanding the need for an integrated product development team.

References: CISSP CBK Reference

Deploy an ASP.NET web application to Web Apps (API)

1. In the editor, in the ImagesController class on line 26, observe the GetCloudBlobContainer method and the code used to retrieve a container.

2. In the ImagesController class on line 36, observe the Get method and the code used to retrieve all blobs asynchronously from the images container.

3. In the ImagesController class on line 55, observe the Post method and the code used to persist an uploaded image to Storage.

Deploy an ASP.NET web application to Web Apps (WEB)

1. In the editor, in the IndexModel class on line 30, observe the OnGetAsync method and the code used to retrieve the list of images from the API.