"深入理解CISSP考试内容，全面备考指南"

版权申诉

CISSP

194 浏览量更新于2024-02-23 收藏 1.35MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

资源详情

资源推荐

 Assess risk. You have a risk when you have a threat and a vulnerability. In those cases, you need to figure out the

chances of the threat exploiting the vulnerability and the consequences if that does happen. Be familiar with the

approaches:

 Qualitative. This method uses a risk analysis matrix and assigns a risk value such as low, medium or high.

For example, if the likelihood is rare and the consequences are low, then the risk is low. If the likelihood is

almost certain and the consequences are major, then the risk is extreme.

 Quantitative. This method is more objective than the qualitative method; it uses dollars or other metrics

to quantify risk.

 Hybrid. A mix of qualitative and quantitative. If you can easily assign a dollar amount, you do; if not, you

don’t. This can often provide a good balance between qualitative and quantitative.

 Respond to risk. You must formulate a plan of action for each risk you identify. For a given risk, you can choose

risk mitigation (reduce the risk), risk assignment (assign the risk to a team or provider for action), risk acceptance

(accept the risk) or risk rejection (ignore the risk).

Outside of the three primary steps for applying risk management, you should familiarize yourself with some of the details

for those three steps:

 Countermeasure selection and implementation. You can use a software or hardware solution to reduce a

particular risk by implementing a countermeasure, sometimes referred to as a “control” or a “safeguard.” Suppose

you have a password policy that a legacy application cannot technically meet (for example, the app is limited to 10

characters for the password). To reduce the likelihood of that password being compromised, you can implement

any of several countermeasures: For instance, you can require that the password be changed more frequently than

other (longer) passwords, or mandate that the password be stored in a secure password vault that requires two-

factor authentication. For your exam preparation, don’t just understand the words and definitions; understand

how you implement the concepts in your environment. You don’t have to provide a step-by-step technical

configuration, but you must understand the implementation process — where you start, the order of the steps you

take and how you finish.

 Applicable types of controls. Be familiar with the 6 types of controls:

 Preventive. This type of control is intended to prevent a security incident from happening. For example,

you add an anti-virus product to your computers.

 Detective. This type of control is used to identify the details of a security incident, including (sometimes)

the attacker.

 Corrective. A corrective control implements a fix after a security incident occurs.

 Deterrent. This type of control attempts to discourage attackers. For example, you lock your office

whenever you leave for lunch or go home for the day.

 Recovery. A recovery control tries to get the environment back to where it was prior to a security incident.

 Compensating. A compensating control is an alternative control to reduce a risk. Suppose you need to

enable outside users to get to your SharePoint site, which resides on your local area network. Instead of

opening the firewall to permit communication from the internet to your internal SharePoint servers, you

can implement a compensating control, such as deploying a reverse proxy to the perimeter network and

enabling SharePoint external access through the reverse proxy. In the end, the functionality is typically the

same, but the method of getting there is different.

 Security Control Assessment (SCA). You need to periodically assess your security controls. What’s working? What

isn’t working? As part of this assessment, the existing document must be thoroughly reviewed, and some of the

controls must be tested at random. A report is typically produced to show the outcomes and enable the

organization to remediate deficiencies.

 Monitoring and measurement. Monitoring and measurement are closely aligned with identifying risks. For

example, if there are many invalid database query attempts coming from your web server, it might indicate an

attack. At a minimum, it is worth investigating. Whether action is required will depend. Without the proper

monitoring in place, you won’t know about these types of events. You might not know when a person is probing

your network. Even if you are capturing monitoring information, it isn’t enough by itself. You also need a way to

measure it. For example, if your monitoring shows 500 invalid logon attempts on your web server today, is that a

cause for concern? Or is that typical because you have 75,000 users? While monitoring is used for more than

security purposes, you need to tune it to ensure you are notified about potential security incidents as soon as

possible. In some cases, it will be too late and a data breach might occur. That’s when the monitoring data becomes

valuable from a forensics perspective. You need to be able to look back at the data and figure out why you didn’t

see anything during the incident and what adjustments you need to make to minimize the chances of it happening

again.

 Asset valuation. When you think of assets, don’t just think of physical assets such as computers and office

furniture (tangible assets). Assets also include the company’s data and intellectual property (intangible assets).

While tangible assets are easy to assess for value (for example, you bought the disk drive for $250), data and

intellectual property can be harder to place a value on. Be familiar with the following strategies of intangible asset

valuation:

 Cost approach. How much would it cost to replace the asset?

 Income approach. How much income will the asset produce over its lifetime?

 Market approach. How much does a similar asset cost?

 Quantitative approach. Assigns a dollar value to assess risk.

 Qualitative approach. Assigns a score to assess risk.

 Reporting. One of the foundations of an enterprise-grade security solution is the ability to report on your

environment (what you have, what the top risks are, what’s happening right now, what happened 3 days ago, etc.).

Reporting provides information. And that information is sometimes used to start a continuous improvement

process.

 Continuous improvement. Continuous improvement is an ongoing, never-ending effort to take what you have

and improve it. Often, improvements are small and incremental. However, over time, small improvements can add

up. Continuous improvement can be applied to products (for example, upgrading to the latest version), services

(for example, expanding your internal phishing testing) or processes (for example, automating processes to save

time and improve consistency).

 Risk frameworks. A risk framework documents how your organization handles risk assessment, risk resolution

and ongoing monitoring. See http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf for an

example of a risk framework. There are other risk frameworks, such as the British Standard BS 31100. Be familiar

with risk frameworks and their goals. The NIST framework identifies the following steps: categorize, select,

implement, assess, authorize and monitor.

1.10 Understand and apply threat modeling concepts and methodologies

When you perform threat modeling for your organization, you document potential threats and prioritize those threats

(often by putting yourself in an attacker’s mindset). There are four well-known methods. STRIDE, introduced at Microsoft in

1999, focuses on spoofing of user identity, tampering, repudiation, information disclosure, denial of service and elevation

of privilege. PASTA (process for attack simulation and threat analysis) provides dynamic threat identification, enumeration

and scoring. Trike uses threat models based on a requirements model. VAST (visual, agile and simple threat modeling)

applies across IT infrastructure and software development without requiring security experts.

 Threat modeling methodologies. Part of the job of the security team is to identify threats. You can identify threats

using different methods:

 Focus on attackers. This is a useful method in specific situations. For example, suppose that a developer’s

employment is terminated. After extracting data from the developer’s computer, you determine that the

person was disgruntled and angry at the management team. You now know this person is a threat and can

focus on what he or she might want to achieve. However, outside of specific situations like this,

organizations are usually not familiar with their attackers.

 Focus on assets. Your organization’s most valuable assets are likely to be targeted by attackers. For

example, if you have a large number of databases, the database with the HR and employee information

might be the most sought after.

 Focus on software. Many organizations develop applications in house, either for their own use or for

customer use. You can look at your software as part of your threat identification efforts. The goal isn’t to

identify every possible attack, but instead to focus on the big picture, such as whether the applications are

susceptible to DoS or information disclosure attacks.

 Threat modeling concepts. If you understand the threats to your organization, then you are ready to document

the potential attack vectors. You can use diagramming to list the various technologies under threat. For example,

suppose you have a SharePoint server that stores confidential information and is therefore a potential target. You

can diagram the environment integrating with SharePoint. You might list the edge firewalls, the reverse proxy in

the perimeter network, the SharePoint servers in the farm and the database servers. Separately, you might have a

diagram showing SharePoint’s integration with Active Directory and other applications. You can use these diagrams

to identify attack vectors against the various technologies.

1.11 Apply risk-based management concepts to the supply chain

Organizations must use risk-based management concepts when they contract out tasks (such as hiring an air conditioning

company to maintain the air conditioning in their data centers), bring on new suppliers or utilize service companies to

transport their goods. Many of these concepts apply to mergers and acquisitions too.

 Risks associated with hardware, software, and services. The company should perform due diligence, which

includes looking at the IT infrastructure of the supplier. When thinking about the risk considerations, you must

consider:

 Hardware. Is the company using antiquated hardware that introduces potential availability issues? Is the

company using legacy hardware that isn’t being patched by the vendor? Will there be integration issues

with the hardware?

 Software. Is the company using software that is out of support, or from a vendor that is no longer in

business? Is the software up to date on security patches? Are there other security risks associated with the

software?

 Services. Does the company provide services for other companies or to end users? Is the company reliant

on third-party providers for services (such as SaaS apps)? Did the company evaluate service providers in a

way that enables your company to meet its requirements? Does the company provide services to your

competitors? If so, does that introduce any conflicts of interest?

 Third-party assessment and monitoring. Before agreeing to do business with another company, your

organization needs to learn as much as it can about that company. Often, third-party assessments are used to help

gather information and perform the assessment. An on-site assessment is useful to gain information about

physical security and operations. During the document review, your goal is to thoroughly review all the architecture,

designs, implementations, policies, procedures, etc. You need to have a good understanding of the current state

of the environment, especially so you can understand any shortcomings or compliance issues prior to integrating

the IT infrastructures. You need to ensure that the other company’s infrastructure meets all your company’s

security and compliance requirements. The level of access and depth of information you are able to gain is often

directly related to how closely your companies will work together. For example, if a company is your primary

supplier of a critical hardware component, then a thorough assessment is critical. If the company is one of 3

delivery companies used to transport goods from your warehouse, then the assessment is important but does not

have to be as deep.

 Minimum security requirements. As part of the assessment, the minimum security requirements must be

established. In some cases, the minimum security requirements are your company’s security requirements. In

other cases, new minimum security requirements are established. In such scenarios, the minimum security

requirements should have a defined period, such as 12 months.

 Service-level requirements. A final area to review involves service level agreements (SLAs). Companies have SLAs

for internal operations (such as how long it takes for the helpdesk to respond to a new ticket), for customers (such

as the availability of a public-facing service), and for partner organizations (such as how much support a vendor

provides a partner). All the SLAs of the company should be reviewed. Your company sometimes has an SLA

standard that should be applied, when possible, to the SLAs as part of working with another company. This can

sometimes take time, as the acquiring company might have to support established SLAs until they expire or

renewal comes up.

1.12 Establish and maintain a security awareness, education, and training

program

This section of the exam covers all the aspects of ensuring that everybody in your organization is security conscious and

familiar with the organization’s policies and procedures. In general, it is most effective to start with an awareness campaign

and then provide detailed training. For example, teaching everybody about malware or phishing campaigns before they

understand the bigger picture of risk isn’t very effective.

 Methods and techniques to present awareness and training. While the information security team is typically

well-versed on security, the rest of the organization often isn’t. As part of having a well-rounded security program,

the organization must provide security education, training and awareness to the entire staff. Employees need to

understand what to be aware of (types of threats, such as phishing or free USB sticks), understand how to perform

their jobs securely (encrypt sensitive data, physically protect valuable assets), and how security plays a role in the

big picture (company reputation, profits and losses). Training should be mandatory and provided both to new

employees and yearly (at a minimum) for ongoing training. Routine tests of operational security should be

performed (such as tailgating at company doors and social engineering tests like phishing campaigns).

 Periodic content reviews. Threats are complex and the training needs to be relevant and interesting to be

effective. This means updating training materials and awareness training, and changing out the ways which security

is tested and measured. If you always use the same phishing test campaign or send it from the same account on

the same day of the year, it isn’t effective. The same applies to other material. Instead of relying on long and detailed

security documentation for training and awareness, consider using internal social media tools, videos and

interactive campaigns.

 Program effectiveness evaluation. Time and money must be allocated for evaluating the company’s security

awareness and training. The company should track key metrics, such as the percentage of employees clicking on a

link in a test phishing email. Is the awareness and training bringing the total number of clicks down? If so, the

program is effective. If not, you need to re-evaluate it.

剩余92页未读，继续阅读

资料库01

粉丝: 403
资源: 2494

"深入理解CISSP考试内容，全面备考指南"

CISSP.Exam.Study.Guide

推荐-CISSP考证资料分享（较新）-12份.zip

ISC2.CISSP.Prepaway..全真英文模拟题700题（2019 更新 ）.pdf

cissp官方学习文档pdf

cissp官方指南第9版pdf

cissp第9版pdf

怎样顺利通过CISSP考试

cissp all in one 第九版 pdf

osg 9 cissp

计算机相关作业可以考并且最具有有含金量的证书有哪些

制定一下网络安全学习计划

请问如何学习网络安全才能学好

cissp认证考试指南

cissp东方瑞通讲义

cissp 知识点 csdn

制定一个CISSP考证计划

大三在校生，网络安全工程师职业目标定位，短期计划，中期计划，长期计划，应该怎么做达成目标

cissp思维导图 xmind

11小时cissp电子书

cissp定量计算公式学些

最新资源

ISC2.CISSP.Prepaway..全真英文模拟题700题（2019 更新）.pdf