In the individual folders you will find each domain broken down further. I also outline an extensive list of terms that cover beyond the scope of the CISSP.
I enjoyed studying for this exam. It has a very wide surface area. I would give each domain a week of study and a week of practice tests from
Security & Risk Management Tables
Overview: This domain focuses on the foundational concepts of security, risk management, governance, compliance, and ethical practices. It establishes the groundwork for understanding how to protect organizational assets and manage risks effectively.
- Confidentiality
- Encryption
- Access controls
- Data classification
- Need-to-know principle
- Integrity
- Hashing
- Digital signatures
- Checksums
- Change control
- Availability
- Redundancy
- Failover systems
- Backups
- Disaster recovery planning
- Authentication, Authorization, and Accountability (AAA)
- Multi-factor authentication
- Role-based access control (RBAC)
- Auditing and logging
- Non-repudiation
- Digital signatures
- Transaction logs
- Risk Terminology
- Asset: Anything of value to an organization
- Threat: Potential cause of an unwanted incident
- Vulnerability: Weakness that can be exploited
- Risk: Potential for loss or damage
- Exposure: Extent of potential loss
- Risk Assessment Methods
- Qualitative risk analysis
- Quantitative risk analysis
- Semi-quantitative analysis
- Risk Response Techniques
- Risk avoidance
- Risk mitigation
- Risk transference
- Risk acceptance
- Risk Register
- Documenting identified risks
- Tracking risk mitigation efforts
- Organizational Processes
- Security policies
- Standards
- Procedures
- Guidelines
- Security Roles and Responsibilities
- Senior management
- Security officers
- Data owners
- Data custodians
- Users
- Due Care and Due Diligence
- Legal obligations
- Best practices
- Legal Systems
- Civil law
- Common law
- Religious law
- Customary law
- Regulations and Standards
- GDPR (General Data Protection Regulation)
- HIPAA (Health Insurance Portability and Accountability Act)
- SOX (Sarbanes-Oxley Act)
- PCI DSS (Payment Card Industry Data Security Standard)
- Intellectual Property (IP) Law
- Copyright
- Trademarks
- Patents
- Trade secrets
- Privacy Laws and Policies
- PII (Personally Identifiable Information)
- Data protection principles
- (ISC)² Code of Ethics
- Protect society and the infrastructure
- Act honorably and legally
- Provide competent service
- Advance the profession
- Ethical Decision-Making
- Conflicts of interest
- Whistleblowing
- Compliance with laws
- Policy Types
- Organizational security policy
- Issue-specific policies
- System-specific policies
- Supporting Documents
- Standards
- Baselines
- Procedures
- Guidelines
- Threat Identification
- Adversarial threats (hackers, insiders)
- Environmental threats (natural disasters)
- Accidental threats (human error)
- Structural threats (equipment failure)
- Threat Modeling Techniques
- STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
- PASTA (Process for Attack Simulation and Threat Analysis)
- Trike
- Attack Surface Analysis
- Entry points
- Vulnerabilities
- Business Impact Analysis (BIA)
- Identifying critical functions
- Determining recovery priorities
- Business Continuity Planning
- Continuity strategies
- Plan development
- Disaster Recovery Planning
- Recovery strategies
- Backup solutions
- Testing and Maintenance
- Drills and exercises
- Plan updates
- Hiring Practices
- Background checks
- Employment agreements
- Onboarding and Offboarding
- Access provisioning and de-provisioning
- Exit interviews
- Security Training and Awareness
- Training programs
- Phishing simulations
- Disciplinary Actions
- Policy violations
- Legal implications
- Vendor Management
- Service Level Agreements (SLAs)
- Right to audit clauses
- Supply Chain Risks
- Counterfeit hardware/software
- Third-party vulnerabilities
- Outsourcing Considerations
- Data ownership
- Compliance requirements
- Frameworks and Models
- ISO/IEC 27001 and 27002
- NIST SP 800 series
- COBIT (Control Objectives for Information and Related Technologies)
- Control Categories
- Administrative controls
- Technical controls
- Physical controls
- Control Functions
- Preventive
- Detective
- Corrective
- Deterrent
- Recovery
- Compensating
- Program Development
- Needs assessment
- Customization to audience
- Delivery Methods
- In-person training
- E-learning modules
- Newsletters and bulletins
- Program Evaluation
- Feedback mechanisms
- Measuring effectiveness
- Asset Classification
- Public
- Internal
- Confidential
- Secret
- Asset Management
- Inventory tracking
- Ownership assignment
- Data Lifecycle
- Creation
- Storage
- Use
- Archival
- Destruction
- Key Performance Indicators (KPIs)
- Incident response times
- Number of security incidents
- Key Risk Indicators (KRIs)
- Vulnerability levels
- Threat landscape changes
- Reporting Mechanisms
- Dashboards
- Executive summaries
- Internal Audits
- Policy compliance
- Control effectiveness
- External Audits
- Regulatory compliance
- Third-party assessments
- Audit Processes
- Planning
- Evidence collection
- Reporting findings
- Access Control Models
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Security Baselines
- Minimum security configurations
- Defense in Depth
- Layered security approach
- Least Privilege Principle
- Minimum necessary access
- Separation of Duties
- Dividing responsibilities to prevent fraud
- Need-to-Know Principle
- Access based on job requirements
- Zero Trust Model
- Never trust, always verify
- Residual Risk
- Remaining risk after controls
- Total Risk
- Risk before controls
- Risk Appetite
- Amount of risk an organization is willing to accept
- Annualized Loss Expectancy (ALE)
- Expected monetary loss per year
- Single Loss Expectancy (SLE)
- Monetary loss from a single incident
- Annualized Rate of Occurrence (ARO)
- Frequency of an incident occurring in a year
- Exposure Factor (EF)
- Percentage of asset loss due to an incident
- Business Continuity Plan (BCP)
- Strategies to continue operations during disruption
- Disaster Recovery Plan (DRP)
- Procedures to recover systems after a disaster
- Maximum Tolerable Downtime (MTD)
- Longest period a system can be unavailable
- Recovery Time Objective (RTO)
- Target time to restore a system
- Recovery Point Objective (RPO)
- Acceptable amount of data loss in time
Overview: This domain focuses on the protection of organizational assets throughout their lifecycle. It covers concepts related to data classification, ownership, privacy protection, and secure handling of information. Understanding how to manage and protect assets is crucial for maintaining confidentiality, integrity, and availability.
- Asset Identification
- Inventory of physical assets (hardware, devices)
- Inventory of informational assets (data, intellectual property)
- Software asset management
- Asset Ownership
- Data Owner
- Responsible for data classification and protection
- Defines access rights and permissions
- Data Custodian
- Manages data storage and backups
- Implements security controls as defined by the data owner
- System Owner
- Responsible for the operation and maintenance of information systems
- Data Owner
- Asset Valuation
- Determining the importance and value of assets
- Impact analysis on asset loss or compromise
- Classification Levels
- Government/Military
- Unclassified
- Sensitive but Unclassified (SBU)
- Confidential
- Secret
- Top Secret
- Commercial Organizations
- Public
- Sensitive
- Confidential
- Private
- Government/Military
- Classification Process
- Identifying data types
- Assigning appropriate classification levels
- Labeling and marking data accordingly
- Reclassification and Declassification
- Changing the classification level based on new assessments
- Procedures for declassifying data when appropriate
- Personal Data Handling
- Personally Identifiable Information (PII)
- Data that can identify an individual
- Protection requirements
- Sensitive Personal Information (SPI)
- Health records, financial information
- Higher protection standards
- Personally Identifiable Information (PII)
- Privacy Laws and Regulations
- General Data Protection Regulation (GDPR)
- EU regulation on data protection and privacy
- Rights of data subjects
- Health Insurance Portability and Accountability Act (HIPAA)
- U.S. regulation for healthcare information
- California Consumer Privacy Act (CCPA)
- California state law on consumer data protection
- General Data Protection Regulation (GDPR)
- Data Minimization
- Collecting only necessary data
- Limiting data retention periods
- Consent and Notification
- Obtaining user consent for data collection
- Notifying users of data breaches
- Phases of Data Lifecycle
- Creation or Capture
- Generating new data
- Initial classification and labeling
- Storage
- Secure data repositories
- Access controls
- Use
- Data processing and manipulation
- Monitoring access and changes
- Sharing or Distribution
- Secure data transmission methods
- Third-party sharing agreements
- Archival
- Long-term storage solutions
- Retention policies
- Destruction or Disposal
- Data sanitization methods
- Legal requirements for data disposal
- Creation or Capture
- Access Controls
- Logical access controls (passwords, biometrics)
- Physical access controls (locks, badges)
- Encryption
- Data at rest encryption
- Data in transit encryption (TLS/SSL)
- Full disk encryption
- Data Masking and Anonymization
- Obscuring sensitive data elements
- Techniques for de-identifying data
- Data Loss Prevention (DLP)
- Monitoring data transfers
- Preventing unauthorized data exfiltration
- Data Integrity Controls
- Checksums
- Digital signatures
- Hash functions
- Marking Procedures
- Labels indicating classification levels
- Handling instructions on documents
- Handling Procedures
- Secure printing and copying practices
- Clean desk policies
- Transmission Procedures
- Secure email protocols (S/MIME, PGP)
- Encrypted file transfers
- Storage Procedures
- Locked cabinets for physical documents
- Access-controlled digital storage
- Data Remanence Risks
- Residual data remaining after deletion
- Risks of data recovery from disposed media
- Sanitization Methods
- Clearing
- Overwriting data
- Suitable for reuse within the organization
- Purging
- Degaussing magnetic media
- More thorough than clearing
- Destruction
- Physical destruction (shredding, pulverizing)
- Incineration
- Clearing
- Standards and Guidelines
- NIST SP 800-88 Guidelines for Media Sanitization
- ISO/IEC 27040 Storage Security
- Storage Types
- Primary Storage
- RAM, cache memory
- Volatile storage
- Secondary Storage
- Hard drives, SSDs
- Non-volatile storage
- Tertiary Storage
- Tape backups
- Archival storage
- Primary Storage
- Storage Technologies
- Direct-Attached Storage (DAS)
- Network-Attached Storage (NAS)
- Storage Area Networks (SAN)
- Data Redundancy and Replication
- RAID configurations
- Data mirroring
- Off-site backups
- Big Data Characteristics
- Volume, Velocity, Variety, Veracity
- Security Challenges
- Scalability of security controls
- Protecting data in distributed environments
- Data Warehousing
- Centralized data repositories
- Access controls for aggregated data
- Data Analytics Security
- Protecting analytical models
- Secure handling of analytical outputs
- Cloud Service Models
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- Cloud Deployment Models
- Public cloud
- Private cloud
- Hybrid cloud
- Community cloud
- Cloud Data Security
- Encryption in the cloud
- Data segregation in multi-tenant environments
- Compliance considerations
- Shared Responsibility Model
- Understanding provider and customer responsibilities
- Implementing appropriate security controls
- Mobile Device Management (MDM)
- Policy enforcement on mobile devices
- Remote wipe capabilities
- Bring Your Own Device (BYOD)
- Risks associated with personal devices
- BYOD policies and guidelines
- Data at Rest Protections
- Device encryption
- Secure containers for data storage
- Endpoint Protection Platforms (EPP)
- Anti-malware solutions
- Host-based firewalls
- Types of Intellectual Property
- Trade secrets
- Patents
- Trademarks
- Copyrights
- Protecting IP Assets
- Non-disclosure agreements (NDAs)
- Access restrictions
- Monitoring for IP theft
- Legal Remedies
- Litigation options
- Reporting mechanisms
- Legal and Regulatory Requirements
- Industry-specific regulations (e.g., financial, healthcare)
- Government mandates for data retention
- Retention Periods
- Defining how long data must be kept
- Balancing operational needs and legal obligations
- Data Archiving
- Long-term storage solutions
- Retrieval mechanisms
- Data Disposal
- Secure deletion after retention period
- Documentation of disposal processes
- Jurisdictional Considerations
- Data stored across international borders
- Compliance with local laws and regulations
- Cross-Border Data Transfers
- Privacy Shield frameworks
- Standard contractual clauses
- Legal Implications
- Government access to data
- Conflict of laws between countries
- Least Privilege
- Granting minimum necessary access
- Need-to-Know
- Access based on job function requirements
- Separation of Duties
- Dividing responsibilities to prevent fraud
- Role-Based Access Control (RBAC)
- Assigning permissions based on roles
- Attribute-Based Access Control (ABAC)
- Access decisions based on attributes (user, resource, environment)
- Data Owner
- Individual or entity responsible for data protection
- Data Custodian
- Entity that manages data storage and safeguarding
- Data Steward
- Responsible for data content, context, and associated business rules
- Sensitive Data
- Information requiring protection from unauthorized disclosure
- Data Masking
- Hiding original data with modified content
- Anonymization
- Removing personally identifiable information from data sets
- Tokenization
- Replacing sensitive data with unique identification symbols
- Data Leakage
- Unauthorized transmission of data from within an organization
- Scrubbing/Cleansing
- Removing or correcting inaccurate data
- Steganography
- Hiding data within other non-secret text or data
- Cloud Access Security Broker (CASB)
- Security policy enforcement point between cloud service consumers and providers
- Data Governance
- Overall management of data availability, usability, integrity, and security
- Electronic Discovery (eDiscovery)
- Identifying and delivering electronic information for legal cases
- Retention Schedule
- Document outlining how long data must be kept
- Data Breach Notification
- Legal requirement to inform affected parties of data breaches
Security Architecture and Engineering Tables
Overview: This domain delves into the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and controls. It emphasizes the importance of integrating security into all aspects of system architecture and engineering to protect assets and ensure confidentiality, integrity, and availability.
- Security Models and Architecture
- Confidentiality Models
- Bell-LaPadula Model
- Simple Security Property (no read up)
- Star () Property (no write down)*
- Biba Model
- Focuses on data integrity
- Simple Integrity Axiom (no read down)
- Star Integrity Axiom (no write up)
- Bell-LaPadula Model
- Integrity Models
- Clark-Wilson Model
- Emphasizes well-formed transactions
- Uses Transformation Procedures and Constrained Data Items
- Brewer and Nash Model (Chinese Wall)
- Prevents conflicts of interest
- Clark-Wilson Model
- Availability Models
- Ensuring systems are available when needed
- Confidentiality Models
- Core Design Principles
- Least Privilege
- Users have minimum access necessary
- Defense in Depth
- Layered security approach
- Fail-Safe Defaults
- Default to secure state upon failure
- Economy of Mechanism
- Keep designs simple and small
- Complete Mediation
- Every access to a resource is checked
- Open Design
- Security does not depend on secrecy of design
- Separation of Duties
- Dividing responsibilities to prevent fraud
- Least Common Mechanism
- Minimize shared mechanisms to avoid unintended interactions
- Psychological Acceptability
- Security mechanisms should not make resources more difficult to access than if the security mechanisms were not present
- Least Privilege
- State Machine Model
- System remains secure in all states
- Information Flow Model
- Controls the flow of information to prevent unauthorized transfer
- Noninterference Model
- Actions at higher security levels do not affect lower levels
- Take-Grant Model
- Describes how rights can be passed between subjects and objects
- Access Control Matrix
- Table mapping subjects to objects with permissions
- Graham-Denning Model
- Defines secure creation and deletion of subjects and objects
- Harrison-Ruzzo-Ullman Model
- Extends Graham-Denning with a focus on access rights
- Trusted Computing Base (TCB)
- Totality of protection mechanisms within a system
- Security Kernel
- Core component of TCB enforcing security policies
- Reference Monitor Concept
- Abstract machine mediating all access
- Protection Rings
- Hierarchical layers of privilege (Ring 0 to Ring 3)
- Security Modes of Operation
- Dedicated Mode
- All users have clearance and need-to-know for all data
- System High Mode
- All users have clearance but not necessarily need-to-know
- Compartmented Mode
- Users have clearance but only access to data they are authorized for
- Multilevel Mode
- Allows processing of data at different classification levels
- Dedicated Mode
- Trusted Computer System Evaluation Criteria (TCSEC)
- Orange Book
- Classifies systems from D (minimal protection) to A (verified protection)
- Information Technology Security Evaluation Criteria (ITSEC)
- European standard focusing on functionality and assurance
- Common Criteria
- International standard (ISO/IEC 15408)
- Protection Profiles (PP)
- Sets of security requirements for a category of products
- Security Targets (ST)
- Specific security requirements and specifications
- Evaluation Assurance Levels (EAL1-EAL7)
- Increasing levels of assurance from functionally tested to formally verified design and tested
- Cryptographic Concepts
- Confidentiality
- Keeping data secret
- Integrity
- Ensuring data is unaltered
- Authentication
- Verifying identity
- Non-Repudiation
- Preventing denial of action
- Confidentiality
- Symmetric Encryption Algorithms
- DES (Data Encryption Standard)
- 3DES (Triple DES)
- AES (Advanced Encryption Standard)
- RC4, RC5, RC6
- Asymmetric Encryption Algorithms
- RSA
- Diffie-Hellman
- ElGamal
- ECC (Elliptic Curve Cryptography)
- Hash Functions
- MD5
- SHA-1, SHA-2, SHA-3
- Digital Signatures
- Ensuring authenticity and integrity
- Public Key Infrastructure (PKI)
- Certificates
- Digital documents binding public keys to entities
- Certificate Authorities (CA)
- Trusted entities issuing certificates
- Certificate Revocation Lists (CRL)
- Online Certificate Status Protocol (OCSP)
- Certificates
- Cryptographic Attacks
- Brute-Force Attack
- Trying all possible keys
- Dictionary Attack
- Birthday Attack
- Collisions in hash functions
- Man-in-the-Middle Attack
- Replay Attack
- Brute-Force Attack
- Site and Facility Design
- Location Considerations
- Natural disaster risks
- Proximity to hazards
- Perimeter Security
- Fencing, gates, guards
- Building Construction
- Reinforced walls, secure entry points
- Location Considerations
- Physical Access Controls
- Locks
- Mechanical, electronic, biometric
- Badges and ID Cards
- Mantraps
- Security Guards
- Locks
- Environmental Controls
- HVAC Systems
- Temperature and humidity control
- Fire Detection and Suppression
- Fire Classes
- Class A: Ordinary combustibles
- Class B: Flammable liquids
- Class C: Electrical fires
- Class D: Combustible metals
- Class K: Cooking oils
- Suppression Agents
- Water, CO2, dry chemicals, Halon alternatives
- Fire Classes
- Power Supply Protection
- Uninterruptible Power Supplies (UPS)
- Generators
- Surge Protectors
- HVAC Systems
- Equipment Security
- Device Placement
- Away from public areas
- Tamper Detection
- Seals, alarms
- Device Placement
- Security in the System Development Life Cycle (SDLC)
- Initiation
- Define security requirements
- Acquisition/Development
- Secure coding practices
- Implementation
- Security testing
- Operations/Maintenance
- Patching, monitoring
- Disposal
- Secure decommissioning
- Initiation
- Security Control Selection
- Based on risk assessment
- Certification and Accreditation
- Certification
- Technical evaluation of security features
- Accreditation
- Management's formal acceptance of system security
- Certification
- Applying Models to Systems
- How theoretical models translate into practical controls
- Multilevel Security Systems
- Handling data at multiple classification levels
- Trusted Recovery
- System can recover securely after failure
- Covert Channels
- Unintended communication paths
- Storage Channels
- Timing Channels
- Hardware Vulnerabilities
- Spectre and Meltdown
- Exploiting speculative execution
- Firmware Attacks
- BIOS/UEFI malware
- Spectre and Meltdown
- Software Vulnerabilities
- Buffer Overflows
- Injection Flaws
- SQL injection, command injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Network Vulnerabilities
- Denial-of-Service (DoS) Attacks
- Man-in-the-Middle Attacks
- Session Hijacking
- Physical Threats
- Theft
- Vandalism
- Eavesdropping
- Key Management
- Key Generation
- Secure algorithms
- Key Distribution
- Secure channels, key exchange protocols
- Key Storage
- Hardware security modules (HSM), TPM
- Key Usage
- Policies defining acceptable use
- Key Revocation and Destruction
- Procedures for compromised keys
- Key Generation
- Cryptographic Policies
- Defining acceptable algorithms and key lengths
- Quantum Cryptography
- Quantum key distribution
- Impact of quantum computing on encryption
- Layering
- Multiple layers of defense
- Abstraction
- Simplifying complex systems
- Data Hiding
- Restricting access to data at different layers
- Process Isolation
- Preventing processes from interfering with each other
- Encapsulation
- Bundling data and methods operating on data
- Database Concepts
- Database Management Systems (DBMS)
- Data Warehousing
- Aggregated data storage
- Data Mining
- Analyzing data for patterns
- Database Security Issues
- Inference
- Deriving sensitive information from non-sensitive data
- Aggregation
- Combining data to reveal sensitive information
- Inference
- Database Controls
- Views
- Restricting data visibility
- Query Restrictions
- Limiting types of queries
- Encryption
- Views
- Client-Server Models
- Security considerations in distributed environments
- Service-Oriented Architecture (SOA)
- Securing web services
- Microservices
- Managing security in microservices architecture
- Middleware Security
- Ensuring secure communication between components
- IoT Security Challenges
- Limited device resources
- Lack of standardization
- Embedded System Security
- Firmware security
- Physical security
- Industrial Control Systems (ICS)
- SCADA systems
- Security in critical infrastructure
- Cloud Service Models
- IaaS
- PaaS
- SaaS
- Cloud Deployment Models
- Public Cloud
- Private Cloud
- Hybrid Cloud
- Community Cloud
- Virtualization Security
- Hypervisor Security
- Virtual Machine Escape
- Virtual Network Security
- Security in Cloud Environments
- Data encryption
- Identity and access management
- Compliance considerations
- Trusted Computing Base (TCB)
- Hardware, software, and controls enforcing security
- Reference Monitor
- Mediates all access requests
- Security Kernel
- Implements the reference monitor
- Protection Rings
- Layers of system privilege
- Multilevel Security
- Handling data at various classification levels
- Common Criteria
- Framework for evaluating security products
- Evaluation Assurance Levels (EAL)
- Scale of assurance levels from 1 to 7
- Symmetric Encryption
- Single key for encryption and decryption
- Asymmetric Encryption
- Public and private key pair
- Hash Functions
- Producing a fixed-size hash value from data
- Digital Certificates
- Verifying identity in PKI
- Public Key Infrastructure (PKI)
- System managing digital certificates and keys
- Cryptanalysis
- Study of breaking cryptographic systems
- Side-Channel Attacks
- Attacks based on information gained from physical implementation
- Fire Classes
- Categories of fires based on fuel type
- HVAC
- Heating, ventilation, and air conditioning systems
- Electromagnetic Interference (EMI)
- Disruption caused by electromagnetic radiation
- TEMPEST
- Standards for reducing electronic signal emissions
- Data Emanation
- Unintentional data leakage through electromagnetic signals
- Hypervisor
- Software creating and running virtual machines
- Mantrap
- Physical security device controlling access
- SCADA
- Supervisory Control and Data Acquisition systems
- Microservices
- Architectural style structuring applications as collections of services
- Quantum Computing
- Computing using quantum-mechanical phenomena
- Blockchain Technology
- Distributed ledger technology for secure transactions
Communication and Network Security Tables
Overview: This domain focuses on the design, implementation, and management of secure communication networks. It covers network structures, transmission methods, transport formats, and security measures used to maintain confidentiality, integrity, and availability of information transmitted over both private and public networks.
- OSI Model (Open Systems Interconnection Model)
- Layer 1: Physical
- Cables, connectors, physical transmission media
- Layer 2: Data Link
- MAC addresses, switches, VLANs
- Layer 3: Network
- IP addressing, routing, routers
- Layer 4: Transport
- TCP/UDP protocols, port numbers
- Layer 5: Session
- Session establishment and termination
- Layer 6: Presentation
- Data encryption, decryption, formatting
- Layer 7: Application
- User interface, APIs, application services
- Layer 1: Physical
- TCP/IP Model
- Network Interface Layer
- Internet Layer
- Transport Layer
- Application Layer
- Network Topologies
- Bus
- Star
- Ring
- Mesh
- Hybrid
- Network Types
- LAN (Local Area Network)
- WAN (Wide Area Network)
- MAN (Metropolitan Area Network)
- PAN (Personal Area Network)
- CAN (Campus Area Network)
- SAN (Storage Area Network)
- Network Design Principles
- Segmentation
- Dividing networks into smaller parts
- Redundancy
- Backup systems for fault tolerance
- Scalability
- Ability to grow without performance loss
- Quality of Service (QoS)
- Prioritizing network traffic
- Segmentation
- Firewalls
- Packet Filtering Firewalls
- Filters packets based on headers
- Stateful Inspection Firewalls
- Monitors state of active connections
- Application Layer Firewalls (Proxy Firewalls)
- Intermediary between users and services
- Next-Generation Firewalls (NGFW)
- Integrated intrusion prevention, application awareness
- Packet Filtering Firewalls
- Intrusion Detection and Prevention Systems
- IDS (Intrusion Detection System)
- Monitors network traffic for suspicious activity
- IPS (Intrusion Prevention System)
- Detects and blocks threats in real-time
- HIDS/HIPS
- Host-based solutions monitoring individual devices
- NIDS/NIPS
- Network-based solutions monitoring network traffic
- IDS (Intrusion Detection System)
- Network Access Control (NAC)
- Pre-admission Control
- Evaluates devices before granting network access
- Post-admission Control
- Continuous monitoring after access is granted
- 802.1X Protocol
- Port-based network access control
- Pre-admission Control
- Routers and Switches
- Routers
- Directing data packets between networks
- Switches
- Connecting devices within a network
- Layer 3 Switches
- Combines switching and routing capabilities
- Routers
- Load Balancers
- Distributing network traffic across multiple servers
- Web Security Gateways
- Filtering web content and enforcing policies
- Unified Threat Management (UTM) Appliances
- All-in-one security solutions
- Virtual Private Networks (VPNs)
- Remote Access VPN
- Secure connection from client to network
- Site-to-Site VPN
- Secure connection between networks
- VPN Protocols
- IPSec (Internet Protocol Security)
- AH (Authentication Header)
- ESP (Encapsulating Security Payload)
- SSL/TLS VPNs
- PPTP (Point-to-Point Tunneling Protocol)
- L2TP (Layer 2 Tunneling Protocol)
- IPSec (Internet Protocol Security)
- Remote Access VPN
- Secure Communication Protocols
- SSH (Secure Shell)
- Secure remote login and command execution
- HTTPS (Hypertext Transfer Protocol Secure)
- Secure web communication using SSL/TLS
- S/MIME (Secure/Multipurpose Internet Mail Extensions)
- Secure email communication
- TLS/SSL Protocols
- TLS (Transport Layer Security)
- SSL (Secure Sockets Layer)
- SSH (Secure Shell)
- Wireless Security Protocols
- WEP (Wired Equivalent Privacy)
- Weak security, deprecated
- WPA/WPA2 (Wi-Fi Protected Access)
- WPA2-Personal (Pre-Shared Key)
- WPA2-Enterprise (802.1X Authentication)
- WPA3
- Enhanced security features
- EAP (Extensible Authentication Protocol)
- Framework for network authentication
- WEP (Wired Equivalent Privacy)
- Voice over IP (VoIP) Security
- SIP (Session Initiation Protocol)
- SRTP (Secure Real-Time Transport Protocol)
- Encryption for voice data
- Denial-of-Service (DoS) Attacks
- Distributed Denial-of-Service (DDoS)
- Overwhelming resources using multiple systems
- Flood Attacks
- SYN Flood
- ICMP Flood (Ping Flood)
- Amplification Attacks
- Using services like DNS to amplify traffic
- Distributed Denial-of-Service (DDoS)
- Spoofing Attacks
- IP Spoofing
- Forging IP addresses
- ARP Spoofing
- Poisoning ARP caches to intercept traffic
- DNS Spoofing
- Redirecting traffic by altering DNS records
- IP Spoofing
- Sniffing and Eavesdropping
- Intercepting network traffic to capture data
- Countermeasures
- Encryption
- Secure protocols
- Man-in-the-Middle Attacks
- Intercepting communication between two parties
- Countermeasures
- Mutual authentication
- Encryption
- Session Hijacking
- Taking over a valid session
- Countermeasures
- Session tokens
- Secure cookies
- Replay Attacks
- Reusing captured data to gain unauthorized access
- Countermeasures
- Time stamps
- Nonces
- Malware Propagation
- Worms
- Viruses
- Trojan Horses
- Countermeasures
- Anti-malware solutions
- Patch management
- Authentication Protocols
- RADIUS (Remote Authentication Dial-In User Service)
- Centralized authentication for network access
- TACACS+ (Terminal Access Controller Access-Control System Plus)
- Similar to RADIUS with extended features
- Kerberos
- Ticket-based authentication system
- LDAP (Lightweight Directory Access Protocol)
- Accessing and maintaining distributed directory information
- RADIUS (Remote Authentication Dial-In User Service)
- Network Management Protocols
- SNMP (Simple Network Management Protocol)
- SNMPv1/v2
- Community strings, less secure
- SNMPv3
- Enhanced security features
- SNMPv1/v2
- Syslog
- Logging network events
- SNMP (Simple Network Management Protocol)
- Secure File Transfer Protocols
- SFTP (SSH File Transfer Protocol)
- FTPS (FTP Secure)
- SCP (Secure Copy Protocol)
- Email Security Protocols
- POP3S/IMAPS
- Secure email retrieval
- SMTP with TLS
- Secure email sending
- POP3S/IMAPS
- Wireless Standards
- IEEE 802.11a/b/g/n/ac/ax
- Different Wi-Fi standards
- Bluetooth
- Short-range communication
- NFC (Near Field Communication)
- Contactless communication
- IEEE 802.11a/b/g/n/ac/ax
- Wireless Security Threats
- Evil Twin Attacks
- Rogue access points mimicking legitimate ones
- War Driving
- Searching for wireless networks
- Bluejacking and Bluesnarfing
- Unauthorized access to Bluetooth devices
- Evil Twin Attacks
- Wireless Security Controls
- MAC Filtering
- Limiting devices based on MAC addresses
- Disabling SSID Broadcast
- Hiding network name
- Wireless Intrusion Detection Systems (WIDS)
- Monitoring wireless traffic
- MAC Filtering
- Dial-Up Connections
- Legacy systems using telephone lines
- Remote Desktop Protocols
- RDP (Remote Desktop Protocol)
- Microsoft's protocol for remote access
- VNC (Virtual Network Computing)
- Platform-independent remote desktop sharing
- RDP (Remote Desktop Protocol)
- Terminal Services
- Centralized application hosting
- Wired Media
- Copper Cables
- Twisted Pair (UTP/STP)
- Coaxial Cables
- Fiber Optic Cables
- Single-Mode Fiber
- Multi-Mode Fiber
- Copper Cables
- Wireless Media
- Radio Frequency (RF)
- Microwave
- Infrared
- Transmission Methods
- Analog and Digital Signals
- Synchronous and Asynchronous Transmission
- Unicast, Multicast, Broadcast
- Network Monitoring
- Performance Monitoring
- Bandwidth usage, latency
- Security Monitoring
- Intrusion detection, log analysis
- Performance Monitoring
- Configuration Management
- Change Management Processes
- Version Control
- Patch Management
- Regular updates to network devices and software
- Incident Response
- Procedures for handling security incidents
- Virtual Networks
- VLANs (Virtual Local Area Networks)
- Segmenting networks logically
- VXLANs (Virtual Extensible LAN)
- Extending VLANs across data centers
- VLANs (Virtual Local Area Networks)
- Software-Defined Networking (SDN)
- Centralized control of network traffic
- Network Function Virtualization (NFV)
- Virtualizing network services
- Cloud Networking
- Private Cloud Networks
- Public Cloud Networking Services
- Hybrid Connectivity
- VPNs, Direct Connect options
- Content Delivery Networks (CDN)
- Distributing content closer to users
- Load Balancing Algorithms
- Round Robin
- Least Connections
- Source IP Hashing
- Security Considerations
- SSL/TLS Offloading
- DDoS Protection Mechanisms
- IP Addressing
- IPv4
- Classes A, B, C, D, E
- CIDR (Classless Inter-Domain Routing)
- IPv6
- 128-bit addressing
- IPsec Integration
- IPv4
- Routing Protocols
- Distance Vector Protocols
- RIP (Routing Information Protocol)
- Link-State Protocols
- OSPF (Open Shortest Path First)
- Path-Vector Protocols
- BGP (Border Gateway Protocol)
- Distance Vector Protocols
- Network Address Translation (NAT)
- Static NAT
- Dynamic NAT
- PAT (Port Address Translation)
- Encapsulation
- Wrapping data with protocol information
- Tunneling Protocols
- GRE (Generic Routing Encapsulation)
- IP-in-IP Tunneling
- Security Implications
- Potential for hidden malicious traffic
- Difficulty in inspection and filtering
- VoIP Technologies
- H.323 Protocol Suite
- SIP (Session Initiation Protocol)
- Video Conferencing Protocols
- RTSP (Real Time Streaming Protocol)
- RTP (Real-Time Transport Protocol)
- Security Concerns
- Eavesdropping
- Signal manipulation
- Countermeasures
- Encryption
- Secure protocols
- Common Tools
- Ping
- Testing connectivity
- Traceroute
- Identifying network paths
- Netstat
- Displaying network connections
- Nslookup/Dig
- DNS query tools
- Wireshark
- Packet analysis
- Nmap
- Network scanning and discovery
- Ping
- Troubleshooting Steps
- Identify the Problem
- Establish a Theory of Probable Cause
- Test the Theory
- Establish an Action Plan
- Implement the Solution
- Verify Full System Functionality
- Document Findings
- Segmentation
- Dividing networks to enhance security
- Subnetting
- Dividing IP networks into smaller segments
- Defense in Depth
- Layered security approach
- Zero Trust Network
- Never trust, always verify
- Encryption
- Securing data in transit
- Public Key Infrastructure (PKI)
- Framework for managing digital certificates
- IPsec
- Suite of protocols for securing IP communications
- Network Time Protocol (NTP)
- Synchronizing clocks across systems
- DNS Security Extensions (DNSSEC)
- Authenticating DNS data
- Secure Shell (SSH)
- Encrypted network communication
- 802.1X
- Port-based network access control
- Data Loss Prevention (DLP)
- Preventing unauthorized data transfers
- Intrusion Prevention System (IPS)
- Proactive threat blocking
- Content Filtering
- Blocking or allowing content based on policies
- Encapsulation
- Wrapping data with protocol headers
- Port Mirroring
- Duplicating network traffic for monitoring
- Demilitarized Zone (DMZ)
- Isolated network segment for external services
- Remote Authentication Dial-In User Service (RADIUS)
- Centralized authentication protocol
- Terminal Access Controller Access-Control System Plus (TACACS+)
- Authentication and authorization protocol
- 802.11 Standards
- Wireless networking standards
- Broadcast Storm
- Excessive broadcast traffic causing network congestion
- Spanning Tree Protocol (STP)
- Preventing loops in network topologies
- Proxy Servers
- Intermediaries for requests from clients
- Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
- Cryptographic protocols for secure communication
Identity and Access Management (IAM) Tables
Overview: This domain focuses on the methodologies and mechanisms used to control access to information systems. It encompasses the identification, authentication, authorization, and accountability of entities to ensure that the right individuals access the right resources at the right times for the right reasons.
- Identification
- Assigning a unique identity to users, devices, or processes
- Examples: Usernames, account numbers, unique identifiers
- Authentication
- Verifying the identity of a user or system
- Authentication Factors
- Something You Know
- Passwords, PINs, passphrases
- Something You Have
- Tokens, smart cards, key fobs
- Something You Are
- Biometrics (fingerprints, iris scans, facial recognition)
- Something You Do
- Behavioral biometrics (keystroke dynamics, gait analysis)
- Somewhere You Are
- Geolocation, IP address
- Something You Know
- Multi-Factor Authentication (MFA)
- Combining two or more authentication factors
- Authorization
- Determining access rights and permissions
- Implemented through access control models
- Identity Management Systems
- Centralized Identity Management
- Single point of administration
- Decentralized Identity Management
- Distributed administration across multiple systems
- Federated Identity Management
- Sharing identities across organizations
- SAML (Security Assertion Markup Language)
- OAuth
- OpenID Connect
- Centralized Identity Management
- Single Sign-On (SSO)
- Kerberos
- Ticket-based authentication protocol
- Lightweight Directory Access Protocol (LDAP)
- Directory services for authentication
- Active Directory (AD)
- Microsoft's directory service
- Kerberos
- Identity as a Service (IDaaS)
- Cloud-based identity management solutions
- Identity Proofing
- Verifying the identity of an individual before account creation
- Discretionary Access Control (DAC)
- Access decisions are made by data owners
- Flexibility but less secure due to potential misconfigurations
- Mandatory Access Control (MAC)
- Access based on fixed security attributes
- Security Labels and Clearances
- Data and users have classification labels
- Lattice-Based Access Control
- Role-Based Access Control (RBAC)
- Access based on organizational roles
- Simplifies administration
- Attribute-Based Access Control (ABAC)
- Access based on attributes of users, resources, and environment
- Fine-grained control
- Rule-Based Access Control
- Access based on predefined rules
- Often used in firewall configurations
- Access Control Policies
- Policy Definition
- Defining who can access what and under what conditions
- Policy Enforcement
- Implementing mechanisms to enforce policies
- Policy Definition
- Access Control Lists (ACLs)
- Lists specifying permissions attached to objects
- Capability Tables
- Specifies the access rights a subject has to objects
- Access Control Matrix
- A table mapping subjects to objects with assigned permissions
- Content-Dependent Access Control
- Access based on data content
- Context-Dependent Access Control
- Access based on context, such as time or location
- Audit Logs and Trails
- Recording user activities for accountability
- Monitoring Access
- Real-time Monitoring
- Event Logging
- User Behavior Analytics (UBA)
- Audit and Compliance
- Regular reviews to ensure compliance with policies
- Non-Repudiation
- Ensuring that actions can be attributed to individuals
- User Account Management
- Provisioning
- Creating user accounts with appropriate access
- De-provisioning
- Removing access when no longer needed
- Account Recertification
- Periodic review of user access rights
- Provisioning
- Credential Management
- Password Policies
- Complexity, expiration, reuse policies
- Credential Storage
- Secure storage of authentication credentials
- Password Policies
- Privileged Account Management
- Least Privilege Principle
- Granting minimum necessary access
- Privileged Access Monitoring
- Additional scrutiny for high-level accounts
- Least Privilege Principle
- Password Management Systems
- Self-service password resets
- Password synchronization across systems
- Token Devices
- Hardware Tokens
- Physical devices generating one-time passwords (OTPs)
- Software Tokens
- Applications generating OTPs
- Hardware Tokens
- Biometric Authentication
- Types of Biometrics
- Fingerprints, facial recognition, iris scans, voice recognition
- Biometric Error Rates
- False Acceptance Rate (FAR)
- False Rejection Rate (FRR)
- Crossover Error Rate (CER)
- The point where FAR and FRR are equal
- Types of Biometrics
- Certificate-Based Authentication
- Using digital certificates to authenticate users
- Federated Authentication
- SAML
- OAuth
- OpenID Connect
- Directory Services
- LDAP
- Active Directory
- X.500 Standard
- RADIUS
- Centralized authentication for network access
- TACACS+
- Cisco's protocol for authentication, authorization, and accounting
- Kerberos
- Ticket-based authentication system
- Security Assertion Markup Language (SAML)
- XML-based standard for exchanging authentication and authorization data
- OAuth and OpenID Connect
- Protocols for authorization and authentication in web applications
- Password Attacks
- Brute-Force Attack
- Dictionary Attack
- Rainbow Table Attack
- Password Spraying
- Social Engineering
- Phishing, pretexting, baiting
- Replay Attacks
- Reusing intercepted credentials
- Session Hijacking
- Taking over an active session
- Man-in-the-Middle Attacks
- Intercepting communication between two parties
- Credential Stuffing
- Using stolen credentials from one service on another
- Countermeasures
- Account lockout policies
- Multi-factor authentication
- User education and awareness
- Monitoring and anomaly detection
- Smart Cards
- Cards with embedded microchips
- Proximity Cards
- Contactless cards using RFID technology
- Biometric Systems
- Sensors and software for biometric authentication
- Security Tokens
- Devices or software generating OTPs
- Mobile Device Authentication
- Using mobile devices as authentication factors
- Public Key Infrastructure (PKI)
- Certificate authorities, digital certificates, key management
- Identity Governance and Administration (IGA)
- Managing identity and access rights across systems
- Privileged Access Management (PAM)
- Controlling and monitoring privileged accounts
- Identity Provisioning
- Automated creation and management of user accounts
- Access Recertification
- Periodic verification of user access rights
- Physical Authentication Mechanisms
- Badges and Access Cards
- Biometric Readers
- Locks and Keys
- Physical Access Logs
- Monitoring entry and exit points
- Visitor Management
- Processes for granting temporary access
- Security Guards
- Personnel enforcing physical security policies
- Access Review Processes
- Regular audits of user permissions
- Separation of Duties
- Dividing responsibilities to prevent fraud
- Least Privilege Reviews
- Ensuring users have minimum necessary access
- Compliance Requirements
- Meeting regulatory standards (e.g., SOX, HIPAA, GDPR)
- Cloud Identity Providers
- IDaaS Solutions
- AWS IAM
- Azure Active Directory
- Integration with Third-Party Services
- Federated authentication with partners
- Risk Management
- Assessing third-party security practices
- Security Information and Event Management (SIEM)
- Collecting and analyzing security events
- User Activity Monitoring
- Tracking user actions for compliance
- Anomaly Detection
- Identifying unusual access patterns
- Reporting and Metrics
- Key Performance Indicators (KPIs)
- Key Risk Indicators (KRIs)
- Authentication Factors
- Categories of information used to verify identity
- Multi-Factor Authentication (MFA)
- Use of multiple authentication factors
- Single Sign-On (SSO)
- One set of credentials for multiple systems
- Federated Identity Management
- Sharing identity information across organizations
- Biometric Error Rates
- FAR (False Acceptance Rate)
- FRR (False Rejection Rate)
- CER (Crossover Error Rate)
- Access Control Models
- DAC, MAC, RBAC, ABAC
- Least Privilege
- Minimizing user access rights
- Separation of Duties
- Dividing tasks among multiple people
- Access Control List (ACL)
- Permissions attached to an object
- Capability Table
- Rights a subject has to objects
- Access Control Matrix
- Mapping of subjects to objects with permissions
- Privilege Creep
- Accumulation of access rights over time
- Non-Repudiation
- Assurance that someone cannot deny an action
- Identity as a Service (IDaaS)
- Cloud-based identity management
- Security Assertion Markup Language (SAML)
- Standard for exchanging authentication data
- OAuth
- Open standard for access delegation
- OpenID Connect
- Authentication layer on top of OAuth 2.0
- Kerberos
- Network authentication protocol
- Directory Services
- Centralized databases for identity management
- Lightweight Directory Access Protocol (LDAP)
- Protocol for accessing directory services
- Role-Based Access Control (RBAC)
- Access based on user roles
- Attribute-Based Access Control (ABAC)
- Access based on user and resource attributes
- Rule-Based Access Control
- Access based on specific rules
- Context-Based Access Control
- Access based on context (time, location)
- User Behavior Analytics (UBA)
- Analyzing user behavior patterns
- Security Information and Event Management (SIEM)
- Real-time analysis of security alerts
Security Assessment and Testing Tables
Overview: This domain focuses on the design, performance, and analysis of security testing and assessments. It encompasses strategies for verifying that security controls are functioning as intended, identifying vulnerabilities, and ensuring compliance with policies, procedures, and regulations. Mastery of this domain enables professionals to effectively evaluate the security posture of an organization and recommend improvements.
- Security Assessment Types
- Vulnerability Assessments
- Identifying weaknesses in systems and networks
- Penetration Testing
- Simulating real-world attacks to exploit vulnerabilities
- Security Audits
- Systematic evaluation of security controls
- Code Reviews
- Examining source code for security flaws
- Architecture Reviews
- Evaluating system design for security weaknesses
- Compliance Assessments
- Ensuring adherence to policies and regulations
- Vulnerability Assessments
- Testing Methodologies
- Black Box Testing
- Tester has no knowledge of the system
- White Box Testing
- Tester has full knowledge of the system
- Gray Box Testing
- Tester has partial knowledge of the system
- Black Box Testing
- Types of Security Controls
- Administrative Controls
- Policies, procedures, training
- Technical Controls
- Firewalls, encryption, access controls
- Physical Controls
- Locks, guards, surveillance
- Administrative Controls
- Control Testing Techniques
- Automated Scanning
- Using tools to scan for vulnerabilities
- Manual Testing
- Human analysis and testing of controls
- Compliance Testing
- Verifying controls meet regulatory requirements
- Penetration Testing
- Attempting to bypass controls
- Automated Scanning
- Control Testing Processes
- Planning and Preparation
- Defining scope and objectives
- Execution
- Performing tests as per plan
- Reporting
- Documenting findings and recommendations
- Remediation Verification
- Confirming that issues have been resolved
- Planning and Preparation
- Data Collection Methods
- Log Reviews
- Analyzing system and security logs
- Monitoring
- Real-time observation of systems and networks
- Interviews and Questionnaires
- Gathering information from personnel
- Observation
- Directly watching processes and activities
- Log Reviews
- Data Sources
- System Logs
- Event logs, audit logs, application logs
- Network Traffic
- Packet captures, flow data
- Security Tools Output
- IDS/IPS alerts, SIEM reports
- User Activity Records
- Access logs, transaction records
- System Logs
- Data Analysis Techniques
- Trend Analysis
- Identifying patterns over time
- Anomaly Detection
- Spotting deviations from normal behavior
- Correlation
- Linking related events or data points
- Trend Analysis
- Audit Types
- Internal Audits
- Conducted by organization's own staff
- External Audits
- Performed by third-party auditors
- Third-Party Audits
- Assessing vendors or partners
- Internal Audits
- Audit Phases
- Planning
- Defining audit objectives and scope
- Fieldwork
- Collecting evidence and testing controls
- Reporting
- Summarizing findings and recommendations
- Follow-Up
- Ensuring corrective actions are taken
- Planning
- Audit Techniques
- Documentation Review
- Examining policies and procedures
- Walkthroughs
- Step-by-step review of processes
- Substantive Testing
- Detailed examination of transactions
- Compliance Testing
- Checking adherence to controls
- Documentation Review
- Regulatory Compliance Audits
- SOX (Sarbanes-Oxley Act)
- PCI DSS (Payment Card Industry Data Security Standard)
- HIPAA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- Types of Logs
- System Logs
- Operating system events
- Application Logs
- Events from specific applications
- Security Logs
- Authentication attempts, access control events
- Network Logs
- Firewall logs, router logs
- System Logs
- Log Management
- Collection
- Aggregating logs from multiple sources
- Storage
- Securely storing logs for analysis and compliance
- Retention Policies
- Defining how long logs should be kept
- Secure Disposal
- Properly deleting logs after retention period
- Collection
- Event Correlation
- SIEM Systems (Security Information and Event Management)
- Tools for real-time monitoring and analysis
- Correlation Rules
- Defining relationships between events
- Alerting and Notification
- Automated responses to detected issues
- SIEM Systems (Security Information and Event Management)
- Analysis Techniques
- Pattern Matching
- Identifying known signatures
- Statistical Analysis
- Understanding baseline behaviors
- Anomaly Detection
- Finding deviations from the norm
- Pattern Matching
- Vulnerability Assessment Process
- Asset Identification
- Listing systems and components
- Threat Evaluation
- Identifying potential threats
- Vulnerability Identification
- Scanning and discovering weaknesses
- Risk Assessment
- Evaluating impact and likelihood
- Reporting
- Documenting findings
- Asset Identification
- Penetration Testing Phases
- Planning
- Defining scope, rules of engagement
- Reconnaissance
- Gathering information about targets
- Scanning and Enumeration
- Discovering open ports, services
- Exploitation
- Attempting to exploit vulnerabilities
- Post-Exploitation
- Maintaining access, lateral movement
- Reporting and Remediation
- Summarizing findings, recommending fixes
- Planning
- Penetration Testing Tools
- Network Scanners
- Nmap, Nessus
- Exploitation Frameworks
- Metasploit
- Password Crackers
- John the Ripper, Hydra
- Web Application Testing Tools
- Burp Suite, OWASP ZAP
- Network Scanners
- Types of Penetration Tests
- External Testing
- Testing from outside the network
- Internal Testing
- Testing from within the network
- Blind Testing
- Tester has limited information
- Double-Blind Testing
- Neither tester nor defenders know the test is occurring
- Targeted Testing
- Both tester and defenders are aware and work together
- External Testing
- Static Testing
- Code Reviews
- Manual examination of source code
- Static Application Security Testing (SAST)
- Automated analysis of code without execution
- Code Reviews
- Dynamic Testing
- Dynamic Application Security Testing (DAST)
- Testing applications during execution
- Fuzz Testing
- Inputting random data to find crashes or vulnerabilities
- Dynamic Application Security Testing (DAST)
- Interactive Application Security Testing (IAST)
- Combines static and dynamic testing methods
- Continuous Monitoring and Testing
- Integrating testing into the development lifecycle
- DevSecOps Practices
- Reporting Requirements
- Executive Summaries
- High-level findings for management
- Detailed Technical Reports
- Specific vulnerabilities and remediation steps
- Compliance Reports
- Demonstrating adherence to regulations
- Executive Summaries
- Prioritization of Findings
- Risk Ratings
- Critical, High, Medium, Low
- Impact and Likelihood
- Assessing the potential damage and probability
- Risk Ratings
- Recommendations
- Remediation Steps
- Specific actions to fix issues
- Mitigation Strategies
- Reducing risk when fixes are not immediately possible
- Remediation Steps
- Communication
- Stakeholder Engagement
- Involving relevant parties in understanding findings
- Follow-Up Actions
- Ensuring issues are addressed and retested
- Stakeholder Engagement
- Vendor Assessments
- Evaluating third-party security practices
- Questionnaires and Surveys
- On-site Assessments
- Service Level Agreements (SLAs)
- Defining security expectations
- Certification and Accreditation
- Certification
- Formal testing against standards
- Accreditation
- Management's acceptance of residual risk
- Certification
- Regulatory Audits
- Compliance with Laws and Regulations
- GDPR, HIPAA, SOX, etc.
- Compliance with Laws and Regulations
- Software Development Life Cycle (SDLC) Integration
- Incorporating security testing at each phase
- Code Analysis Tools
- Static Code Analyzers
- Dynamic Analysis Tools
- Common Software Vulnerabilities
- Injection Flaws
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Buffer Overflows
- Secure Coding Standards
- OWASP Top Ten
- CERT Secure Coding Standards
- Defining Metrics
- Quantitative Metrics
- Number of vulnerabilities found
- Time to remediate issues
- Qualitative Metrics
- Severity of vulnerabilities
- Improvement in security posture
- Quantitative Metrics
- KPIs Examples
- Mean Time to Detect (MTTD)
- Mean Time to Respond (MTTR)
- Patch Management Effectiveness
- Dashboard and Reporting Tools
- Visualizing metrics for stakeholders
- Test Environment Setup
- Production vs. Non-Production Testing
- Risks of testing in live environments
- Sandboxing
- Isolated environments for testing
- Production vs. Non-Production Testing
- Test Data Management
- Anonymization and Masking
- Protecting sensitive data during testing
- Synthetic Data Generation
- Creating dummy data for testing
- Anonymization and Masking
- Regression Testing
- Ensuring new changes do not introduce vulnerabilities
- Rules of Engagement
- Written Agreements
- Scope, methods, timelines
- Authorization
- Obtaining necessary permissions
- Written Agreements
- Legal Constraints
- Computer Fraud and Abuse Act (CFAA)
- U.S. law governing computer crimes
- International Laws
- Understanding global legal implications
- Computer Fraud and Abuse Act (CFAA)
- Ethical Guidelines
- (ISC)² Code of Ethics
- Respecting Privacy
- Avoiding unnecessary data exposure
- Physical Security Testing
- Penetration of Physical Barriers
- Attempting unauthorized access
- Social Engineering Tests
- Phishing, tailgating
- Penetration of Physical Barriers
- Environmental Controls Testing
- HVAC Systems
- Fire Suppression Systems
- Business Continuity and Disaster Recovery Testing
- Plan Reviews
- Ensuring plans are up-to-date
- Drills and Exercises
- Tabletop exercises, simulations
- Plan Reviews
- Policy and Procedure Reviews
- Ensuring documentation is current and effective
- Access Control Testing
- Verifying proper implementation of access controls
- Incident Response Testing
- Tabletop Exercises
- Discussing response scenarios
- Simulation Testing
- Live drills of incident response
- Tabletop Exercises
- Awareness Training Effectiveness
- Phishing Simulations
- Testing employee vigilance
- Surveys and Feedback
- Measuring training impact
- Phishing Simulations
- Vulnerability
- Weakness that can be exploited
- Exploit
- Method to take advantage of a vulnerability
- Threat
- Potential cause of an unwanted incident
- Risk
- Likelihood and impact of a threat exploiting a vulnerability
- Penetration Testing
- Simulated attack to test security
- Zero-Day Vulnerability
- Unknown or unpatched vulnerability
- Fuzz Testing
- Inputting random data to find vulnerabilities
- Security Information and Event Management (SIEM)
- Tools for real-time analysis of security alerts
- False Positive
- Incorrectly identifying benign activity as malicious
- False Negative
- Failing to detect malicious activity
- Compliance
- Adherence to laws, regulations, and policies
- Remediation
- Actions taken to fix vulnerabilities
- Residual Risk
- Remaining risk after controls are applied
- Acceptance Testing
- Verifying that systems meet requirements
- Code Review
- Examination of source code for defects
- Secure Development Lifecycle (SDLC)
- Integrating security into software development
- Service Level Agreement (SLA)
- Contractual definition of service expectations
- Key Performance Indicators (KPIs)
- Metrics used to evaluate success
- Least Privilege
- Granting minimal necessary access
- Defense in Depth
- Layered security approach
- Segregation of Duties
- Dividing responsibilities to prevent fraud
- Anomaly Detection
- Identifying unusual patterns
- Intrusion Detection System (IDS)
- Monitoring for suspicious activities
- Intrusion Prevention System (IPS)
- Blocking detected threats
- Log Retention Policy
- Guidelines for how long logs are kept
- Patch Management
- Updating systems to fix vulnerabilities
Domain 7: Security Operations
Overview: This domain focuses on the day-to-day tasks required to protect organizational assets. It covers topics such as incident management, disaster recovery, business continuity, resource protection, change management, and physical security. Understanding security operations ensures that an organization can effectively detect, respond to, and recover from security incidents while maintaining continuous operations.
- Types of Investigations
- Administrative Investigations
- Internal probes into policy violations or misconduct.
- Civil Investigations
- Legal disputes between private parties.
- Criminal Investigations
- Law enforcement probes into illegal activities.
- Regulatory Investigations
- Compliance checks by governing bodies.
- Administrative Investigations
- Evidence Handling
- Chain of Custody
- Documenting evidence from collection to court.
- Evidence Types
- Real Evidence: Physical objects.
- Documentary Evidence: Written documents.
- Testimonial Evidence: Witness statements.
- Demonstrative Evidence: Models or simulations.
- Chain of Custody
- Forensic Procedures
- Data Collection
- Imaging drives, capturing logs.
- Analysis Techniques
- Timeline creation, keyword searches.
- Reporting
- Detailed documentation of findings.
- Legal Considerations
- Admissibility, privacy laws, warrants.
- Data Collection
- Incident Response Planning
- Preparation
- Policies, procedures, training.
- Detection and Analysis
- Monitoring systems, alert triage.
- Containment, Eradication, Recovery
- Isolating systems, removing threats, restoring operations.
- Post-Incident Activities
- Lessons learned, process improvement.
- Preparation
- Incident Response Team (IRT) Roles
- Team Leader
- Coordinates response efforts.
- Technical Specialists
- Handles technical aspects.
- Communications Officer
- Manages information dissemination.
- Legal and HR Advisors
- Ensures compliance and handles personnel issues.
- Team Leader
- Communication Plans
- Internal notifications.
- External communications (media, customers).
- Business Impact Analysis (BIA)
- Identifying critical functions and resources.
- Assessing the impact of disruptions.
- Disaster Recovery Planning
- Recovery Strategies
- Data backups, system redundancies.
- Alternate Sites
- Hot Sites: Fully operational.
- Warm Sites: Partially equipped.
- Cold Sites: Basic infrastructure.
- Recovery Objectives
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- Recovery Strategies
- Business Continuity Planning
- Ensuring essential functions continue during a crisis.
- Developing continuity strategies.
- Testing and Maintenance
- Plan Testing
- Drills, simulations.
- Plan Maintenance
- Regular updates and reviews.
- Plan Testing
- Change Management Process
- Request Submission
- Documenting proposed changes.
- Impact Assessment
- Evaluating potential effects.
- Approval and Scheduling
- Authorization and timing.
- Implementation
- Executing changes.
- Review and Documentation
- Post-change analysis.
- Request Submission
- Configuration Management
- Baseline Establishment
- Defining standard configurations.
- Version Control
- Tracking changes.
- Configuration Audits
- Ensuring compliance with standards.
- Baseline Establishment
- Media Management
- Labeling
- Clear classification markings.
- Storage
- Secure locations, environmental controls.
- Disposal
- Sanitization, destruction methods.
- Labeling
- Data Management
- Data Classification
- Sensitivity levels (public, confidential).
- Data Lifecycle
- Creation to disposal.
- Data Classification
- Operations Security Controls
- Separation of Duties
- Preventing fraud by dividing tasks.
- Least Privilege
- Minimum necessary access.
- Job Rotation
- Reducing collusion risks.
- Mandatory Vacations
- Detecting irregularities.
- Separation of Duties
- Administrative Management
- Policy Enforcement
- Adherence to security policies.
- Third-Party Management
- Vendor security evaluations.
- Policy Enforcement
- Monitoring Techniques
- Security Information and Event Management (SIEM)
- Centralized logging, real-time analysis.
- Intrusion Detection Systems (IDS)
- Network and host-based monitoring.
- Intrusion Prevention Systems (IPS)
- Automated threat blocking.
- Security Information and Event Management (SIEM)
- Log Management
- Collection
- Aggregating logs from various sources.
- Retention
- Compliance with retention policies.
- Analysis
- Regular review for anomalies.
- Collection
- Compliance Monitoring
- Ensuring regulatory and policy adherence.
- Physical Security Controls
- Perimeter Security
- Fences, gates, guards.
- Access Control Systems
- Keycards, biometrics.
- Surveillance Systems
- CCTV cameras, motion detectors.
- Perimeter Security
- Environmental Controls
- HVAC Systems
- Temperature and humidity regulation.
- Fire Suppression
- Sprinklers, gas systems.
- HVAC Systems
- Safety Measures
- Emergency Exits
- Clearly marked and accessible.
- Power Protection
- UPS, surge protectors.
- Emergency Exits
- Personnel Security
- Background Checks
- Pre-employment screening.
- Security Training
- Awareness programs.
- Access Rights Management
- Regular reviews and updates.
- Background Checks
- Equipment Security
- Asset Tracking
- Inventory management.
- Anti-Theft Measures
- Locks, security cables.
- Asset Tracking
- Visitor Management
- Identification
- Badges, sign-in procedures.
- Escort Policies
- Supervision of non-employees.
- Identification
- Preventative Controls
- Firewalls
- Network traffic filtering.
- Antivirus Software
- Malware prevention.
- Access Controls
- Authentication mechanisms.
- Firewalls
- Detective Controls
- Logs and Audits
- Activity recording.
- IDS/IPS
- Threat detection.
- Logs and Audits
- Corrective Controls
- Incident Response
- Procedures to mitigate damage.
- Patch Management
- Updating systems to fix vulnerabilities.
- Incident Response
- Patch Management Process
- Identification
- Recognizing needed updates.
- Testing
- Verifying patches in a safe environment.
- Deployment
- Rolling out patches systematically.
- Verification
- Ensuring patches are effective.
- Identification
- Vulnerability Management
- Scanning
- Regular checks for weaknesses.
- Assessment
- Evaluating risk levels.
- Remediation
- Addressing identified issues.
- Scanning
- Backup Types
- Full Backup
- Entire data set.
- Incremental Backup
- Changes since last backup.
- Differential Backup
- Changes since last full backup.
- Full Backup
- Backup Strategies
- Onsite and Offsite Storage
- Balancing speed and safety.
- Electronic Vaulting
- Automated, remote backups.
- Replication
- Real-time data copying.
- Onsite and Offsite Storage
- Recovery Procedures
- Restoration Testing
- Validating backup integrity.
- Documentation
- Detailed recovery steps.
- Restoration Testing
- Awareness Programs
- Purpose
- Cultivating a security-conscious culture.
- Methods
- Workshops, newsletters, e-learning.
- Purpose
- Training Initiatives
- Role-Specific Training
- Tailored content for different positions.
- Compliance Training
- Meeting legal and regulatory requirements.
- Role-Specific Training
- Effectiveness Measurement
- Assessments
- Quizzes, simulations.
- Feedback
- Surveys, suggestion boxes.
- Assessments
- Threat Intelligence
- Sources
- OSINT, threat feeds.
- Analysis
- Identifying relevant threats.
- Application
- Informing security measures.
- Sources
- Security Operations Center (SOC)
- Functions
- Monitoring, incident response.
- Staffing
- Analysts, engineers.
- Tools
- SIEM, threat intelligence platforms.
- Functions
- Vendor Management
- Due Diligence
- Security assessments.
- Contracts and SLAs
- Defining security obligations.
- Monitoring
- Ongoing compliance checks.
- Due Diligence
- Cloud Security Considerations
- Shared Responsibility Model
- Understanding provider and customer roles.
- Data Protection
- Encryption, access controls.
- Shared Responsibility Model
- Internet of Things (IoT)
- Security Challenges
- Device management, patching.
- Mitigation Strategies
- Network segmentation, strong authentication.
- Security Challenges
- Artificial Intelligence (AI) and Machine Learning (ML)
- Applications
- Anomaly detection, predictive analytics.
- Risks
- Adversarial attacks, data poisoning.
- Applications
- Operational Technology (OT) Security
- Industrial Control Systems (ICS)
- Securing critical infrastructure.
- Supervisory Control and Data Acquisition (SCADA)
- Protecting automated systems.
- Industrial Control Systems (ICS)
- Chain of Custody
- Tracking evidence handling.
- Incident Response Plan (IRP)
- Procedures for addressing incidents.
- Business Continuity Plan (BCP)
- Strategies to maintain operations.
- Disaster Recovery Plan (DRP)
- Steps to restore systems after a disaster.
- Recovery Time Objective (RTO)
- Target duration to recover services.
- Recovery Point Objective (RPO)
- Acceptable data loss timeframe.
- Hot Site
- Fully equipped backup facility.
- Cold Site
- Facility with basic infrastructure.
- Separation of Duties
- Dividing responsibilities to prevent fraud.
- Least Privilege
- Minimum access necessary for a role.
- Job Rotation
- Changing roles to reduce collusion risk.
- Mandatory Vacations
- Enforced time off to detect fraud.
- Service Level Agreement (SLA)
- Contractual service commitments.
- Security Information and Event Management (SIEM)
- Centralized logging and alerting.
- Intrusion Detection System (IDS)
- Monitors for malicious activities.
- Intrusion Prevention System (IPS)
- Blocks detected threats.
- Configuration Management
- Maintaining system settings.
- Change Management
- Controlled process for system changes.
- Patch Management
- Regular updates to software.
- Forensics
- Scientific examination of evidence.
- Access Control
- Mechanisms to restrict resource access.
- Backup Types
- Full, incremental, differential.
- Data Sanitization
- Secure data deletion methods.
- Media Management
- Handling of storage media.
- Threat Intelligence
- Information on potential threats.
- Security Operations Center (SOC)
- Team dedicated to security monitoring.
- Vendor Risk Management
- Assessing third-party risks.
Software Development Security Tables
Domain 8: Software Development Security
Overview: This domain focuses on the application of security principles and practices throughout the software development lifecycle (SDLC). It encompasses the integration of security into the design, development, testing, and maintenance of software applications. Understanding software development security ensures that applications are resilient against threats, comply with security standards, and protect organizational assets and data.
- Phases of SDLC with Security Integration
- Requirements Gathering
- Incorporate security requirements alongside functional requirements.
- Define security objectives and constraints.
- Design
- Utilize threat modeling to identify potential security threats.
- Apply secure design principles (e.g., least privilege, defense in depth).
- Implementation
- Follow secure coding standards and guidelines.
- Use code analysis tools to detect vulnerabilities early.
- Testing
- Conduct security testing, including static and dynamic analysis.
- Perform penetration testing and vulnerability assessments.
- Deployment
- Ensure secure configuration of production environments.
- Implement proper access controls and monitoring.
- Maintenance
- Regularly update and patch software to address new vulnerabilities.
- Monitor for security incidents and respond appropriately.
- Requirements Gathering
- Security in Agile and DevOps
- Shift-Left Security
- Integrate security practices early in the development process.
- Continuous Integration/Continuous Deployment (CI/CD) Security
- Automate security testing within CI/CD pipelines.
- DevSecOps Practices
- Foster collaboration between development, security, and operations teams.
- Shift-Left Security
- Static Application Security Testing (SAST)
- Analyze source code for vulnerabilities without executing the program.
- Tools: SonarQube, Checkmarx, Fortify.
- Dynamic Application Security Testing (DAST)
- Test applications in their running state to identify vulnerabilities.
- Tools: OWASP ZAP, Burp Suite, Acunetix.
- Interactive Application Security Testing (IAST)
- Combine SAST and DAST by analyzing applications during runtime.
- Tools: Contrast Security, Seeker by Synopsys.
- Software Composition Analysis (SCA)
- Identify and manage open-source components and their vulnerabilities.
- Tools: Black Duck, Snyk, WhiteSource.
- Fuzz Testing
- Input random or unexpected data to identify crashes and vulnerabilities.
- Tools: AFL (American Fuzzy Lop), Peach Fuzzer.
- Coding Standards and Guidelines
- CERT Secure Coding Standards
- Guidelines for various programming languages.
- OWASP Secure Coding Practices
- Comprehensive practices to mitigate common vulnerabilities.
- CERT Secure Coding Standards
- Common Coding Vulnerabilities
- Injection Flaws
- SQL Injection, Command Injection.
- Cross-Site Scripting (XSS)
- Reflected, Stored, DOM-based.
- Cross-Site Request Forgery (CSRF)
- Techniques to prevent unauthorized actions.
- Buffer Overflows
- Ensuring proper memory management.
- Insecure Deserialization
- Validating and sanitizing serialized data.
- Injection Flaws
- Input Validation and Output Encoding
- Input Validation
- Ensure all inputs are sanitized and validated against expected formats.
- Output Encoding
- Encode data before rendering to prevent XSS attacks.
- Input Validation
- Error Handling and Logging
- Error Handling
- Avoid revealing sensitive information in error messages.
- Logging
- Implement secure logging practices without exposing sensitive data.
- Error Handling
- Security Design Patterns
- Authentication and Authorization Patterns
- Implementing robust authentication mechanisms.
- Secure Session Management
- Managing user sessions securely to prevent hijacking.
- Secure Data Storage
- Encrypting sensitive data at rest and in transit.
- Authentication and Authorization Patterns
- Threat Modeling
- STRIDE Model
- Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
- PASTA (Process for Attack Simulation and Threat Analysis)
- Risk-centric methodology for threat modeling.
- Data Flow Diagrams (DFD)
- Visual representation of data movement to identify potential threats.
- STRIDE Model
- Secure Software Architecture
- Layered (Defense in Depth) Architecture
- Multiple layers of security controls.
- Microservices Security
- Securing inter-service communication and data exchange.
- API Security
- Implementing authentication, authorization, and rate limiting for APIs.
- Layered (Defense in Depth) Architecture
- Authentication Mechanisms
- Multi-Factor Authentication (MFA)
- Combining multiple authentication factors for enhanced security.
- Single Sign-On (SSO)
- Simplifying authentication across multiple applications.
- Multi-Factor Authentication (MFA)
- Authorization Models
- Role-Based Access Control (RBAC)
- Assigning permissions based on user roles.
- Attribute-Based Access Control (ABAC)
- Granting access based on user attributes and context.
- Role-Based Access Control (RBAC)
- Session Management
- Secure Cookie Practices
- Using HttpOnly and Secure flags.
- Token-Based Authentication
- Implementing JWT (JSON Web Tokens) securely.
- Secure Cookie Practices
- Configuration Management
- Secure Configuration Baselines
- Establishing and maintaining secure settings.
- Automated Configuration Tools
- Tools like Ansible, Puppet, Chef for consistent deployments.
- Secure Configuration Baselines
- Patch Management
- Timely Application of Security Patches
- Ensuring software is up-to-date with the latest security fixes.
- Testing Patches
- Verifying patches do not introduce new vulnerabilities.
- Timely Application of Security Patches
- Environment Hardening
- Minimizing Attack Surface
- Removing unnecessary services and applications.
- Implementing Security Controls
- Firewalls, intrusion detection systems, and access controls.
- Minimizing Attack Surface
- Static Code Analysis Tools
- Detect vulnerabilities in source code without execution.
- Examples: SonarQube, Fortify, Checkmarx.
- Dynamic Analysis Tools
- Identify vulnerabilities during application runtime.
- Examples: OWASP ZAP, Burp Suite, Acunetix.
- Interactive Analysis Tools
- Combine static and dynamic analysis for comprehensive testing.
- Examples: Contrast Security, Seeker.
- Fuzzing Tools
- Generate random inputs to discover vulnerabilities.
- Examples: AFL (American Fuzzy Lop), Peach Fuzzer.
- Software Composition Analysis (SCA) Tools
- Manage and secure open-source components.
- Examples: Black Duck, Snyk, WhiteSource.
- Patch Management
- Regularly updating software to fix vulnerabilities.
- Implementing automated patch deployment where possible.
- Vulnerability Management
- Continuous scanning and assessment for new vulnerabilities.
- Prioritizing and addressing vulnerabilities based on risk.
- Change Management
- Controlling and documenting changes to software to prevent introducing vulnerabilities.
- Implementing version control systems like Git.
- Incident Response in Software
- Detection
- Monitoring applications for suspicious activities.
- Response
- Implementing fixes and mitigating vulnerabilities.
- Recovery
- Restoring applications to secure states post-incident.
- Detection
- Industry Standards
- OWASP (Open Web Application Security Project)
- Top Ten Project outlining common web application vulnerabilities.
- CERT Secure Coding Standards
- Guidelines for various programming languages to prevent vulnerabilities.
- ISO/IEC 27034
- Application security standard.
- OWASP (Open Web Application Security Project)
- Language-Specific Guidelines
- Java Secure Coding Guidelines
- C/C++ Secure Coding Practices
- Python Security Best Practices
- Automated Code Review Tools
- Integrate tools into the development pipeline to enforce coding standards.
- Managing Third-Party Components
- Dependency Management
- Tracking and updating third-party libraries.
- Open-Source Security
- Assessing and mitigating risks from open-source software.
- Dependency Management
- Supply Chain Attacks
- Understanding Risks
- Compromise of third-party components or services.
- Mitigation Strategies
- Code signing, verifying sources, implementing trust boundaries.
- Understanding Risks
- Vendor Security Assessments
- Evaluating the security practices of software vendors and third parties.
- API Security
- Authentication and Authorization
- Ensuring APIs are accessed securely.
- Rate Limiting and Throttling
- Preventing abuse through excessive requests.
- Input Validation
- Sanitizing inputs to prevent injection attacks.
- Secure API Design
- Following best practices for RESTful and SOAP APIs.
- Authentication and Authorization
- Web Services Security
- WS-Security Standards
- Implementing security features in web services.
- SOAP Message Security
- Protecting SOAP messages through encryption and signatures.
- WS-Security Standards
- Database Security Best Practices
- Least Privilege
- Restricting database access to necessary roles.
- Encryption
- Encrypting data at rest and in transit.
- Access Controls
- Implementing robust authentication and authorization mechanisms.
- Least Privilege
- SQL Injection Prevention
- Parameterized Queries
- Using prepared statements to prevent injection.
- Stored Procedures
- Encapsulating SQL logic within the database.
- Input Sanitization
- Validating and cleaning user inputs.
- Parameterized Queries
- Database Activity Monitoring
- Real-Time Monitoring
- Detecting suspicious activities in databases.
- Auditing and Logging
- Keeping detailed records of database access and modifications.
- Real-Time Monitoring
- Mobile Security Considerations
- Platform-Specific Security Features
- Leveraging built-in security mechanisms of iOS and Android.
- Data Storage Security
- Encrypting sensitive data on mobile devices.
- Secure Communication
- Using TLS/SSL for data transmission.
- Platform-Specific Security Features
- Threats to Mobile Applications
- Reverse Engineering
- Protecting against unauthorized code analysis.
- Insecure Data Storage
- Preventing data leakage from device storage.
- Poor Authentication
- Implementing robust authentication mechanisms.
- Reverse Engineering
- Mobile Application Security Testing
- Static and Dynamic Analysis
- Using tools tailored for mobile platforms.
- Penetration Testing
- Simulating attacks specific to mobile environments.
- Static and Dynamic Analysis
- Cloud Security Considerations
- Shared Responsibility Model
- Understanding the division of security responsibilities between cloud providers and customers.
- Secure Configuration
- Properly configuring cloud resources to prevent misconfigurations.
- Shared Responsibility Model
- DevSecOps in the Cloud
- Automated Security Testing
- Integrating security tests into CI/CD pipelines in cloud environments.
- Infrastructure as Code (IaC) Security
- Securing code that defines cloud infrastructure.
- Automated Security Testing
- API and Service Security in the Cloud
- Authentication and Authorization
- Implementing secure access controls for cloud services.
- Data Protection
- Ensuring data is encrypted and securely stored in the cloud.
- Authentication and Authorization
- Deployment Best Practices
- Automated Deployment Pipelines
- Ensuring consistent and secure deployments.
- Immutable Infrastructure
- Replacing rather than modifying infrastructure to maintain security.
- Automated Deployment Pipelines
- Continuous Monitoring and Feedback
- Real-Time Security Monitoring
- Using tools like SIEM for ongoing security oversight.
- Feedback Loops
- Incorporating security feedback into development practices.
- Real-Time Security Monitoring
- Patch and Update Management
- Timely Application of Updates
- Keeping applications updated to address vulnerabilities.
- Automated Patch Deployment
- Streamlining the patching process to reduce delays.
- Timely Application of Updates
- Secure SDLC
- Integrating security practices into the software development lifecycle.
- Threat Modeling
- Identifying and addressing potential security threats during design.
- Static Application Security Testing (SAST)
- Analyzing source code for vulnerabilities without execution.
- Dynamic Application Security Testing (DAST)
- Testing applications in their running state to find vulnerabilities.
- Interactive Application Security Testing (IAST)
- Combining static and dynamic analysis during runtime.
- Software Composition Analysis (SCA)
- Managing and securing third-party and open-source components.
- OWASP Top Ten
- A list of the most critical web application security risks.
- CERT Secure Coding Standards
- Guidelines to prevent coding-related vulnerabilities.
- DevSecOps
- Integrating security practices within DevOps processes.
- Code Injection
- Inserting malicious code into applications.
- Cross-Site Scripting (XSS)
- Injecting malicious scripts into web pages viewed by others.
- Cross-Site Request Forgery (CSRF)
- Trick users into executing unwanted actions on web applications.
- Buffer Overflow
- Overrunning a buffer's boundary and overwriting adjacent memory.
- Parameterization
- Using placeholders for user inputs to prevent injection.
- Least Privilege
- Granting users the minimum levels of access needed.
- Defense in Depth
- Implementing multiple layers of security controls.
- Code Review
- Manual or automated examination of source code for security issues.
- Immutable Infrastructure
- Replacing infrastructure components rather than modifying them.
- Infrastructure as Code (IaC)
- Managing and provisioning computing infrastructure through machine-readable scripts.
- Service-Oriented Architecture (SOA)
- Designing software as a collection of interoperable services.
- API Security
- Protecting application programming interfaces from attacks.
- Single Sign-On (SSO)
- Allowing users to authenticate once and gain access to multiple systems.
- Multi-Factor Authentication (MFA)
- Requiring multiple forms of verification for access.
- Secure Coding Practices
- Implementing coding standards that enhance security.
- Penetration Testing
- Simulating attacks to identify and exploit vulnerabilities.
- Zero-Day Vulnerability
- A previously unknown vulnerability that attackers can exploit before a fix is available.
- Patch Management
- The process of managing updates to software applications to fix vulnerabilities.
- Vulnerability Management
- Identifying, evaluating, treating, and reporting on security vulnerabilities.
- Secure Configuration
- Setting up systems in a way that minimizes vulnerabilities.
- Federated Identity Management
- Linking a user's identity across multiple systems and organizations.
- Cryptographic Controls
- Using encryption and hashing to protect data integrity and confidentiality.
- Secure API Design
- Creating APIs that are resilient against common security threats.
- Container Security
- Protecting containerized applications and their environments.
- Serverless Security
- Securing applications that use serverless architectures.
- Microservices Security
- Ensuring each microservice within an architecture is secure.
- Code Signing
- Digitally signing software to verify its integrity and origin.
- Secure Deployment Pipelines
- Automating security checks within the software deployment process.
- Application Hardening
- Enhancing the security of an application by reducing its surface of vulnerability.