Source: InfoSec Institute Web article, January 2016
Summary: This article was about Information security governance and Risk Management in CISSP domain. In the article some basic guiding principles for the security are highlighted, the security's fundamental principles revolve around the CIA i.e. confidentiality, integrity and availability. Confidentiality confirms that the data is confidential through personal identifying information, integrity ensures the accuracy of the data and it is not modified by anyone else and finally availability ensures that whenever the data is needed, it is available i.e. no DOS attacks or any other attacks stops the access of the data. The risk management talks about the analysis of the qualitative and quantitative aspects of the risk assessment. Four major concepts need to be understood for the risk management. First one is the value of the assets and information (AV or Asset valuation). Secondly, the threats against those assets need to be analyzed and thirdly need to check on the vulnerabilities associated with all those assets. For any risk to happen, the threat would be connected to the vulnerability. Finally, the impact of these vulnerabilities/threats on the organization needs to be analyzed. Thus, the risk is calculated as Risk= Asset value* threat*vulnerability*impact.
Comments: I thought that this article explained the concepts of information security and risk management needed in CISSP domain very well. The article offered some smart tips on the CIA triad which is the fundamental principle of information security. The concepts in information risk management are also very well reviewed and explained. Any organization can now quantify the variables needed in risk management and the decisions that should be taken to overcome the associated risk.
CISSP Domains-Access Control
Source: CISSP Book, November 2009
Summary: This article was about Access control concepts, methods, and techniques in CISSP domain. The article talks about access control to the information processing facilities and to the information systems by means of technical, physical and administrative methods of security. Two types of access control mechanisms have been defined which are context-based access control in which access is controlled on the basis of contextual parameters like access history, time, location, responses' sequence etc. and content dependent access control in which access is object's content or attributes based. The access to any object is controlled with certain methods that are defined in access control models. In discretionary access control model, some authority is given to the subject to access certain objects while a non-discretionary access control is rule based. In centralized access control, a centralized location performs all the three core functions of access i.e. authentication, authorization and accountability (AAA) while in de-centralized access control, the access' core functions are distributed.
Comments: I thought that this article explained the fundamental concepts of Access control, their methodologies and techniques like centralized and de-centralized access control, RBAC, MAC etc. in CISSP domain very well. The article offered some smart tips on the access control and authentication which is the basic necessity for information security. Authentication concepts are also defined in detail which helps a lot in learning the mechanism. Some of the attacks like DOS attacks, spoofing etc. are also defined which compromise with the access control systems. Thus, overall the article provides a good overview of the access control mechanism in CISSP domain which helps in controlling access to an object by any subject.
CISSP Domains-Security Architecture and Design
Source: Purdue University Educational site, January 2016
Summary: This article was about Information security architecture and design in CISSP domain. In the article some basic guiding principles about how to secure an enterprise and security models and architecture theory have been discussed. The system architecture consists of three basic components: peripherals, storage devices, and CPU. Primarily the data is stored into registers or cache memory and secondary storage devices consist of disks. All the tasks are performed with the help applications that interact with the operating systems. Various security models like Biba Integrity model, Clark-Wilson Integrity model, Bell-LaPadula Confidentiality model, and Brewer and Nash model have been defined where basic rules (like no read up, no write up, no write down, no read down) are used and enforced to maintain confidentiality. Other models like non-interference model, state machine model, and Graham-Denning model defines the rules that are enforced to maintain confidentiality. Evaluation method like TCSEC (Trusted Computer Security evaluation criteria) is used to address the confidentiality that verifies protection and provides security.
Comments: I thought that this article explained the system architecture and design's major areas very well, covering all the topics like design concepts, system architecture, storage devices, operating systems, security models, operational modes, system evaluation methods and certification and accreditation. The trusted computer base is introduced in a very good way in the article and the methods of evaluating the system to assess the levels of security are also very well defined. Overall, the article provides a very good insight into CISSP domain's system architecture and design which helps a lot in learning the information security mechanism.
CISSP Domains-Physical and Environmental Security
Source: Web page article, December 2012
Summary: This article was about physical and environmental security that is necessary to protect against any threats that may be both natural and man-made like unauthorized access. Controls can be physical, technical and administrative. Physical access control methods are used to provide boundary conditions and to restrict access to a security parameter. Surveillance, monitoring, alarms and intrusion detection systems include the technical control. Various procedures and policies are implemented to provide administrative control. Environmental and life safety controls are implemented to provide a safe environment for both equipment and personnel. Fire safety, HVAC, water, natural phenomenon, power, and unnatural phenomena are major environmental controls. Natural phenomena include the risks that may happen due to earthquakes, tornadoes, hurricanes and other types of dangerous weather conditions. Physical security may also be affected by non-natural phenomena like the terrorist attack, civil disturbance, disturbances created by customer, contractor or employees, or from any biological attack. So, disaster recovery plans, incident response plans, and contingency plans should be tested in advance to prevent any damage caused by any physical and environmental damage.
Comments: I thought that this article provided a good overview of the physical and environmental security. The types of physical access control (like smart card, mantrap, magnetic stripe, turnstiles), technical control (like Closed circuit television, CCTV, motion sensors, Door hinges etc.) and environmental and life safety controls (controlling fire, heat, smoke and flame detectors, dry pipe systems, deluge systems) are very well documented. It is very well explained how various controls can be applied to provide the physical and environmental security against various threats that may be both natural and man-made. I strongly recommend this article to be studied for gaining knowledge in this particular field.
CISSP Domains-Telecommunications and Network Security
Source: CISSP Book, December 2009
Summary: This article was about telecommunications and network security concepts in CISSP domain. The article talks about the transport, network and link layers and various protocols involved in these layers. The transport layer does the packaging (encapsulation) and unpacking (abstraction) of the data. TCP protocol used in transport layer is a connection-oriented protocol where data sent is acknowledged. It uses three-way handshake process for establishing and terminating any connection. UDP, on the other hand, is a connection-less protocol that does not guarantee the delivery of data. ICMP packets are used by UDP to ping the server or hosts. Other transport layer protocols are SCTP, SPX, ATP, DCCP, and FCP. The network layer is for internetworking where gateways are used to communicate between different networks. Error detection, passing packets between data link layer and transport layer are done by this layer. Internet protocol, IP Security, ICMP, and IGMP are some of the protocols of this layer. IP protocol is responsible for sending data from one computer to other. Authentication and encryption functions are provided by the IPSec protocol. Link layer links the nodes, or hosts, or servers in a network.
Comments: I thought that this article very well focused on the transport, network and data link layer involved in the telecommunication and network security in CISSP domain. Different layers with their protocols are very well explained. Also, various attacks, threats, vulnerabilities and countermeasures associated with different layers have been explained in detail. The most important protocol involved in providing end-to-end security by encrypting and authenticating the data involved in IP-based communications and which works on the network layer i.e. IPSec is explained in detail which makes this article very beneficial for users.
CISSP Domains-Cryptography
Source: : InfoSec Institute Web article, January 2016
Summary: This article provided details about cryptography in CISSP domain. Cryptography is needed to ensure the security of the data transferred where plain text is converted to ciphered text. Basically, there are two types of ciphering: transportation and substitution. In transportation, letters are rearranged like DRAB becomes BRAD on rearranging B and D. In substitution, one character is substituted by another character like in word POWER, P is substituted by C, O by R, W by O, E by W and R by N, so we get the word CROWN. Both symmetric and asymmetric algorithms are used to provide ciphering. Symmetric has just one key which is secret key and asymmetric has the combination of public and private keys. These two keys used together help in ensuring complete confidentiality of the data when data is decrypted. Integrity is ensured with the help of private keys as data can be compared on both the sides after decryption to ensure the data has not been changed. Various symmetric ciphering algorithms that are used are DES, AES, triple-DES, RC4, RC5, and RC6. The Diffie-Hellman algorithm is asymmetric one.
Comments: I thought that this article provided an overview of the cryptography and Security in the CISSP domain well, but, the details required to understand various algorithms, cipher types, and other terms have not been demonstrated in a very detailed manner. Many names like DES, AES, triple-DES, RC4, RC5, RC6 and the Diffie-Hellman algorithms have been mentioned in the article but no detail about them has been provided. I thought the article needs to be reviewed and updated with some more details so as to enable a novice to learn all these concepts.
CISSP Domains-Business Continuity and Disaster Recovery
Source: : InfoSec Institute Web article, January 2016
Summary: This article highlighted the importance of business continuity and disaster recovery planning. Details about how to continue business in the event of a disaster have been provided. The organization makes a business continuity plan on how to continue business. Disaster recovery plan, Continuity of operations plan and Business resumption plan are also made to enable disaster recovery site to move back to normal operations or business environment. Business Impact Analysis needs to be done by the organizations to identify all the business functions that are critical. Recovery time objective and recovery point objective are also defined in BIA that helps IT in determining what backup strategy will be required in case of disaster. In disaster recovery plan, different options or recovery sites need to be understood in order to save cost and ensure availability. The testing of all these plans is mandatory. Different types of testing are needed like structured walkthrough, parallel processing, interruption testing when full business is up etc. Recovery team members also need to be trained in parallel.
Comments: I thought that this article explained the fundamental concepts of Business continuity and disaster recovery in CISSP domain very well. The article offered some smart tips on various plans like business continuity plan, continuity of operations plan, disaster recovery plan, business resumption plan and business impact analysis that need to be done in advance in order to ensure fast recovery of the business during disaster and availability of the business during the disaster situation. Thus, overall the article provides a good overview of the business continuity mechanism in CISSP domain which helps in determining the backup plan during the disaster.
CISSP Domains- Legal, Regulations, Investigations, and Compliance
Source: : Purdue University Educational site, January 2016
Summary: This article highlighted the - Legal, Regulations, Investigations, and Compliance in CISSP domain that is required to address computer crime laws. The techniques and measures are determined that helps in investigating whether a crime has been committed. Legal regulations are required as violation of laws through computer can damage the company reputation. Major types of legal systems consist of civil law, common law, religious law, customary law and mixed law. Information technology laws consist of intellectual property laws that address how any property owned by the company or person can be protected and what can be done in case the rights are violated. Patents, trademarks, copyright, trade secret and licensing issues come under intellectual property. In case of negligence by any company to protect itself from computer crime, it is legally liable for damages. Computer crime where computer is used as a tool and has no borders is now the target of many criminals these days. Computer forensics deals with the legal system and evidence to stop computer crime. Thus, all CISSPs must commit to supporting its code of conduct fully which ask to act honestly, honorably, responsibly, legally and justly.
Comments: I thought that this article excellently explained the concepts of Legal, Regulations, Compliance and Investigations in CISSP domain. Details about why these laws are needed, types of legal systems, information technology law, intellectual property law (for patent, trademarks, copyright etc.), licensing issues, privacy issues, liability, computer crime, computer forensics, digital evidence, incident response and code of ethics has been very well defined. I really like this article and recommend this article to others also to enhance their knowledge in this particular area.
CISSP Domains- Application Security
Source: : InfoSec Institute Web article, January 2016
Summary: This article was about application development security that provided the awareness about how different security is demanded by different environments. For example, security needed for web based application would be different from a mainframe application. Web application security talks about how to save any web application from attacks from the internet. For any application development, three things are vital which are always validating the input, validating the data during processing, and validating the output data. Mobile applications should be protected using Antivirus software, Java applets, Malware, ActiveX Controls, Spam detection software etc. Before putting any application into production, it must be secured by running a vulnerability scan against the code. Patch management is also a very important area which states that all the systems under development should be patched. Also, it must be ensured that the operating system on which the application is going to run in production is patched and current. As for them, the vulnerabilities have already been identified and they are already patched.
Comments: I thought that this article excellently explained the concepts of application development security in CISSP domain. Details about different security demands by different applications, web application security, mobile application security, patch management has been provided in a very well manner. Readers can read this article to start with in order to get certifications in application development security. I really like this article and recommend this article to others also to enhance their knowledge in this particular area.
CISSP Domains- Security Operations
Source: : InfoSec Institute Web article, January 2016
Summary: This article was about Operations security which talks about confidentiality, integrity, and availability of the data and systems. To maintain CIA for both system and data, controls for both data and people accessing that data should be there. For staff, having access to sensitive data, job rotation and enforced vacation should be enforced to deter or prevent fraud. Role based access control should also be implemented and every person should have a separate sign on. Failed login attempts should be reported and highlighted to indicate any password attack. To prevent system, vendors should visit the site to make upgrades or changes and that should be done in presence of someone from OpSec who should be knowledgeable enough to prevent any data leakage. Mean Time Between Failures and Mean Time to Repair should be defined for maintenance in OpSec. Data should also be least privileged i.e. it should be accessible to only those who need to see it. RTOs and RPOs for the data in OpSec should be achieved by backing up and storing data offsite. OpSec team should also have a thorough incident response plan.
Comments: I thought that this article explained the concepts of Operations security in a very good manner where all the points about providing confidentiality, integrity, and availability to the data and system are explained in detail. All the major functioning of OpSec group, various plans they need to make (like IR plan, COOP, DRP etc.) and the points about saving data and system are explained with examples which relate this theory to practical applications and hence an easy way to learn the topic. I really enjoyed this article and recommend others to go through it.
Works Cited
Adrian, Citu. CISSP Notes – Physical Security. 15 December 2012. September 2016 <https://itblog.adrian.citu.name/2012/12/15/my-cissp-notes-physical-security/>.
Grama, Joanna. CISSP Luncheon Series: Legal, Regulations, Compliance, and Investigations. 2016. <http://www.purdue.edu/securepurdue/docs/training/LegalRegulationsComplianceInvestigations.pdf>.
infosecinstitute.com. CISSP Domain – Application Development Security. January 2016. September 2016 <http://resources.infosecinstitute.com/cissp-domain-application-development-security/>.
—. CISSP Domain – Business Continuity and Disaster Recovery. January 2016. September 2016 <http://resources.infosecinstitute.com/cissp-domain-business-continuity-and-disaster-recovery/>.
—. CISSP Domain – Cryptography and Security. January 2016. September 2016 <http://resources.infosecinstitute.com/cissp-domain-cryptography/>.
—. CISSP Domain – Information Security Governance and Risk Management. January 2016. September 2016 <http://resources.infosecinstitute.com/cissp-domaininformation-security-governance-and-risk-management/#article>.
—. CISSP Domain – Operations Security. January 2016. September 2016 <http://resources.infosecinstitute.com/cissp-domain-operations-security/>.
Srinivasan, M.L. "CISSP: Security Measures for Access Control." Srinivasan, M.L. CISSP in 21 days. New Delhi: Packt books, 2009.
—. Telecommunications and Network Security Concepts for CISSP Exam. December 2009. September 2016 <https://www.packtpub.com/books/content/telecommunications-and-network-security-concepts-cissp-exam>.
Stanfield, Rob. IT Networks and Security & CERIAS CISSP Luncheon Series Security Architecture and Design. January 2016. September 2016 <http://www.purdue.edu/securepurdue/docs/training/cissp_security_architecture.pdf>.
