In which phase of the SW-CMM does an organisation use quantitative measures to gain a detailed understanding of the development process?
(a) Initial (b) Repeatable (c) Defined (d) Managed
Answer: (d)
Explanation: In the Managed phase (level 4 of the SW-CMM), the organisation uses quantitative measures to gain a detailed understanding of the development process.
Tom built a database table consisting of the names, telephone numbers & customer IDs for his business. The table contains information on 10 customers. What is the degree of this table?
(a) Two (b) Three (c) Thirty (d) Undefined
Answer: (b)
Explanation: The cardinality of a table refers to the number of rows in the table, while the degree of the table is the number of columns.
What type of application vulnerability must directly allow an attacker to modify the contents of a system’s memory?
(a) Rootkit (b) Back door (c) TOC/TOU (d) Buffer overflow
Answer: (d)
What type of virus utilises more than one propagation technique to maximise the number of penetrated systems?
Understand the propagation techniques used by viruses
Viruses use four main propagation techniques to penetrate systems and spread their malicious payloads:
file infection
service injection
boot sector infection
macro infection
You need to understand these techniques to effectively protect systems on your network from malicious code.
Know how anti-virus software packages detect known viruses
Most AV programs use signature-based detection algorithms to look for telltale patterns of known viruses.
This makes it essential to periodically update virus definition files in order to maintain protection against newly authored viruses as they emerge.
Behaviour-based detection is also becoming increasingly common, with AV software monitoring target systems for unusual activity and either blocking it or flagging it for investigation, even if the software does not match a known malware signature.
Explain the techniques that attackers use to compromise password security
Passwords are the most common access control mechanism in use today, and it is essential that you understand how to protect against attackers who seek to undermine their security.
Know how password crackers, dictionary attacks & social engineering attacks, such as phishing, can be be used to defeat password security.
Be familiar with the varius types of application attacks
Application attacks are one of the greatest threats to modern computing.
Attackers exploit buffer overflows, back doors, TOC/TOU vulnerabilities & rootkits to gain illegitimate access to a system.
Security professionals must have a clear understanding of each of these attacks and their associated countermeasures.
Understand common web application vulnerabilities & countermeasures
As many applications move to the web, developers & security professionals must understand the new types of attacks that exist in this environment and how to protect against them.
The two most common examples are cross-site scripting (XSS) and SQL injection attacks.
Know the network reconnaissance techniques used by attackers preparing to attack a network
Before launching an attack, attackers use IP sweeps to search out active hosts on a network. These hosts are then subjected to port scans and other vulnerability probes to locate weak spots that might be attacked in an attempt to compromise the network.
You should understand these attacks to help protect your network against them, limiting the amount of information attackers may gain.
Explain the basic architecture of a relational database management system (RDMS)
Know the structure of relational DBs.
Be able to explain the functions of tables (relations), rows (records/tuples) and columns (fields/attributes).
Know how relationships are defined between tables, and the roles of various types of keys.
Describe the DB security threats posed by aggregation & inference.
Know the various types of storage
Explain the differences between:
primary memory & virtual memory
secondary storage & virtual storage
random access storage & sequential storage
volatile storage and non-volatile storage.
Explain how expert systems, machine learning & neural networks function
Expert systems consist of two main components:
A knowledge base that contains a series of “if/then” rules
An inference engine that uses that information to draw conclusions about other data
Machine learning techniques attempt to algorithmically discover knowledge from datasets.
Neural networks simulate the functioning of the human mind to a limited extent, by arranging a series of layered calculations to solve problems.
Neural networks require extensive training on a particular problem before they are able to offer solutions.
Understand the models of systems development
Know that the waterfall model describes a sequential development process that results in the development of a finished product. Developers may step back only one phase in the process if errors are discovered.
The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes.
Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.
Describe software development maturity models [TODO]
Know that maturity models help software organisations improve the maturity & quality of their software processes by implementing an evolutionary path from ad-hoc, chaotic processes to mature, disciplined software processes.
Be able to describe the SW-CMM and IDEAL models. [TODO]
Understand the importance of change & configuration management
Know the three basic components of change control — request control, change control & release control — and how they contribute to security.
Explain how config mgmt controls the versions of software used in an organisation.
Understand the importance of testing
Software testing should be designed as part of the development process.
Testing should be used as a management tool to improve the design, development & production processes.
Which of the following would security personnel do during the remediation stage of an incident response?
(a) Contain the incident (b) Collect evidence (c) Rebuild system (d) Root cause analysis
Answer: (d)
Explanation: Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem. After discovering the cause, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident & collecting evidence is done early in the incident response process. Rebuilding a system may occur during the recovery stage.
Of the following choices, which is the most common method of distributing malware?
Of the following choices, what is the best form of malware protection?
(a) Multiple solutions on each system (b) A single solution throughout the organisation (c) Anti-malware protection at several locations (d) 100% content filtering at all border gateways
Answer: (c)
According to FEMA, approximately what percentage of US states is rated with at least a moderate risk of seismic activity?
(a) 20% (b) 40% (c) 60% (d) 80%
Answer: (d)
Explanation: 41 of the 50 US states are considered to have a moderate, high or very high risk of seismic activity. This rounds to 80%.
In which one of the following database recovery techniques is an exact, up-to-date copy of the database maintained at an alternative location?
Explanation: When you use remote mirroring, an exact copy of the DB is maintained at an alternative location. You keep the remote copy up-to-date by executing all transactions on both the primary and remote site at the same time.
What is the the typical time estimate to activate a warm site from the time a disaster is declared?
(a) 1 hour (b) 6 hours (c) 12 hours (d) 24 hours
Answer: (c)
What type of database backup strategy involves maintenance of a live backup server at the remote site?
Explanation: Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronised as closely as the latency in the link between primary & remote systems will allow.
What is the end goal of DR planning?
(a) Preventing business interruptions (b) Setting up temporary business operations (c) Restoring normal business activity (d) Minimising the impact of a disaster
Answer: (c)
Explanation: Once a disaster interrupts business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, DR planning picks up where BC planning leaves off.
Hacktivists are motivated by which of the following factors? (Choose all that apply)
(a) Financial gain (b) Thrill (c) Skill (d) Political beliefs
Answer: (b), (d)
What phase of the Electronic Discovery Reference Model examines information to remove informaition subject to attorney-client privilege?
Computer crime is a crime (or violation of a law or regulations) that is directed against, or directly involves, a computer.
Be able to list & explain the six categories of computer crimes (TODO)
Computer crimes are grouped into:
military & intelligence attack
business attack
financial attack
terrorist attack
grudge attack
thrill attack.
Be able to explain the motive of each attack. (TODO)
Know the importance of collecting evidence
As soon as you discover an incident, you must begin to collect evidence and as much information about the incident as possible.
The evidence can be used in a subsequent legal action or in finding the identity of the attacker.
Evidence can also assist you in determining the extent of damage.
Understand the eDiscovery process
Organisations that believe they will be the target of a lawsuit have a duty to preserve digital evidence in a process known as electronic discovery, or eDiscovery.
The eDiscovery process includes information governance, identification, preservarion, collection, processing, review, analysis, production & presentation activities.
Know how to investigate intrusions and how to gather sufficient information from the equipment, software & data
You must have possession of equipment, software or data to analyse and use as evidence.
You must acquire the evidence without modifying it or allowing anyone else to modify it.
Know the three basic alternatives for confiscating evidence and when each one is appropriate
First, the person who owns the evidence could voluntarily surrender it.
Second, a subpoena could be used to compel the subject to surrender the evidence.
Third, a search warrant is most useful when you need to confiscate evidence without giving the subject an opportunity to alter it.
Know the importance of investigatory data
Because you will discover some incidents after they have occurred, you will lose valuable evidence unless you ensure that critical log files are retained for a reasonable period of time.
You can retain log files and system status information either in place or in archives.
Know the basic requirements for evidence to be admissible in a court of law
To be admissible, evidence must be relevant to a fact or issue in the case, the fact must be material to the case, and the evidence must be competent or legally collected.
Explain the various types of evidence that may be used in a criminal or civil trial
Real evidence consists of actual objects that can be brought into the courtroom.
Documentary evidence consists of written documents that provide insight into the facts.
Testimonial evidence consists of verbal or written statements made by witnesses.
Understand the importance of ethics to security personnel
Security practitioners are granted a very high level of authority and responsibility to execute their job functions.
The potential for abuse exists, and without a strict code of personal behaviour, security practioners could be regarded as having unchecked power.
Adherence to a code of ethics helps ensure that such power is not abused.
Know the (ISC)2 Code of Ethics & RFC 1087 “Ethics and the Internet” [TODO]
All CISSP candidates should be familiar with the entire (ISC)2 Code of Ethics because they have to agree to adhere to it. [TODO]
In addition, be familiar with the basic statements of RFC 1087. [TODO]
Know the common types of natural disasters that may threaten an organisation
Natural disasters that commonly threaten organisations include:
earthquakes
floods
storms
fires
tsunamis
volcanic eruptions.
Know the common types of man-made disasters that may threaten an organisation
Explosions
Electrical fires
Terrorist acts
Power outages & other utility failures
Infrastructure failures
Hardware/software failures
Labour difficulties
Theft
Vandalism
Be familiar with the common types of recovery facilities [TODO]
The common types of recovery facilities are:
cold sites
warm sites
hot sites
mobile sites
service bureaus
multiple sites
Be sure you understand the benefits & drawbacks for each.
Explain the potential benefits behind mutual assistance agreements as well as the reasons they are not commonly implemented in businesses today
Mutual assistance agreements (MAAs) provide an inexpensive alternative to DR sites, but they are not commonly used because they are difficult to enforce.
Organisations participating in an MAA may also be shut down by the same disaster.
Understand the technologies that may assist with database backup
Databases benefit from three backup techologies:
Electronic vaulting is used to transfer DB backups to a remote site as part of a bulk transder.
In remote journalling, data transfers occur on a more frequent basis.
With remote mirroring technology, database transactions are mirrored at the backup site in real time.
Know the five types of DR plan tests and the impact each has on normal business operations
The five types of DR plan tests are:
read-through (checklist)
structured walk-through
simulation test
parallel test
full-interruption test
Checklist tests are purely paperwork exercises, whereas structured walk-throughs involve a project team meeting. Neither has an impact on business operations.
Simulation tests may shut down non-critical business units.
Parallel tests involve relocating personnel but do not affect day-to-day operations.
Full-interruption tests involve shutting down primary systems and shifting responsibility to the recover facility.
The Security Operations domain lists incident response steps as:
detection
response
mitigation
reporting
recovery
remediation
lessons learned
After detecting & verifying an incident, the first response is to limit or contain the scope of the incident while protecting evidence.
Based on governing laws, an organisation may need to report an incident to official authorities, and if PII is involved, individuals need to be informed.
The remediation & lessons learned stages include root cause analysis to determine the cause and recommend solutions to prevent a reoccurrence.
Know basic preventive measures
Basic preventive measures can prevent many incidents from occurring.
These include:
keeping systems up-to-date
removing/disabling unneeded protocols & services
using intrusion detection & prevention systems
using anti-malware software with up-to-date signatures
enabling both host-based & network-based firewalls
Know what denial-of-service attacks are
DoS attacks prevent a system responding to legitimate requests for service.
A common DoS attack is the SYN flood attack, which disrupts the TCP three-way handshake.
Even though older attacks are not as common today because basic precautions block them, many newer attacks are often variations on older methods.
Smurf attacks employ an amplification network to send numerous response packets to a victim.
Ping-of-death attacks send numerous oversized ping packets to the victim, causing it to freeze, crash or reboot.
Botnets represent significant threats due to the massive number of computers that can launch attacks, so it’s important to know what they are.
A botnet is a collection of compromised computing devices (often called bots or zombies) organised in a network controlled by a criminal known as a bot herder.
Bot herders use a command-and-control server to remotely control the zombies, and often use the botnet to launch attacks on other systems or to send spam or phishing emails.
Bot herders also rent botnet access out to other criminals.
Understand zero-day exploits
A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone but the attacker, or known only to a limited number of people.
On the surface, it seems that you can’t protect against an unknown vulnerability, but basic security practices go a long way toward preventing 0-days.
Removing or disabling unneeded protocols & services reduces the attack surface, enabling firewalls blocks many access points, and using IDS/IPS systems helps detect & block potential attacks.
Additionally, using tools such as honeypots and padded cells helps protect live networks.
Understand man-in-the-middle attacks
A man-in-the-middle attack occurs when a malicious user is able to gain a logical position between the two endpoints of a comms link.
Although it takes a significant amount of sophistication on the part of an attacker to complete a MITM attack, the amount of data obtained from the attack can be significant.
Understand sabotage & espionage
Malicious insiders can perform sabotage against an organisation if they become disgruntled for some reason.
Espionage is when a competitor tries to steal information, and they may use an internal employee.
Basic security principles, such as implementing the principle of least privilege and immediately disabling accounts for terminated employees, limits the damage from these attacks.
Understand intrusion detection & prevention
IDSs and IPSs are important detective & preventive measures against attacks.
Know the difference between knowledge-based detection (using a database similar to anti-malware signatures) and behaviour-based detection.
Behaviour-based detection starts with a baseline to recognise normal behaviour, and compares activity with the baseline to detect abnormal activity.
The baseline can be outdated if the network is modified, so it must be updated when the environment changes.
An IDS can respond passively by logging and sending notifications, or actively by changing the environment, Some people refer to an active IDS as an IPS. However, it’s important to recognise that an IPS is placed in line with the traffic, and includes the ability to block malicious traffic before it reaches the target.
Host-based IDSs (HIDs) can monitor activity on a single system only.
A network-based IDS (NIDS) can monitor activity on a network, and a NIDS isn’t as visible to attackers.
Understand honeypots, padded cells & pseudo flaws
A honeypot is a system that often has pseudo flaws and fake data to lure intruders.
Administrators can observe the activity of attackers while they are in the honeypot, and as long as attackers are in the honeypot, they are not in the live network.
Some IDSs have the ability to transfer attackers into a padded cell after detection.
Although a honeypot & padded cell are similar, note that a honeypot lures the attacker, but the attacker is transferred into the padded cell.
Understand methods to block malicious code
Malicious code is thwarted with a combination of tools.
The obvious tool is anti-malware software with up-to-date definitions installed on each system, at the boundary of the network, and on email servers.
However, policies that enforce basic security principles, such as the principle of least privilege, prevent regular users from installing potentially malicious software.
Additionally, educating users about the risks and the methods attackers commonly use to spread viruses helps users understand & avoid dangerous behaviours.
Understand penetration testing
Pen tests start by discovering vulnerabilities and then mimic an attack to identify what vulnerabilities can be exploited.
It’s important to remember that pen testing should not be done without express consent & knowledge of management.
Additionally, since pen tests can result in damage, they should be done on isolated systems whenever possible.
You should also recognise the difference between black-box (zero knowledge), white-box (full knowledge) & grey-box (partial knowledge) testing.
Know the types of log files
Log data is recorded in databases and different types of log files.
Common log files include:
security logs
system logs
application logs
firewall logs
proxy logs
change management logs
Log files should be protected by centrally storing them and using permissiosn to restrict access, and archived logs should be set to read-only to prevent modifications.
Understand monitoring & uses of monitoring tools
Monitoring is a form of auditing that focuses on active review of the log file data.
Monitoring is used to hold subjects accountable for their actions and to detect abnormal or malicious activities.
It is also used to monitor system performance.
Monitoring tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events.
Understand audit trails
Audit trails are the records created by recording information about events & occurrences into one or more databases or log files.
They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability.
Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the prosecution of criminals.
Understand sampling
Sampling, or data extraction, is the process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole.
Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data.
Clipping is a form of non-statistical sampling that records only events that exceed a threshold.
Understand how to maintain accountability
Accountability is maintained for individual subjects through the use of auditing.
Logs record user activities and users can be held accountable for their logged actions.
This directly promotes good user behaviour & compliance with the organisation’s security policy.
Understand the importance of security audits & reviews
Security audits & reviews help ensure that management programs are effective and being followed. They are commonly associated with account management practices to prevent violations with least privilege or need-to-know principles.
However, they can also be performed to oversee patch management, vulnerability management, change management & configuration management programs.
Understand auditing and the need for frequent security audits
Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorised occurrences, or outright crimes.
Secure IT environments rely heavily on auditing.
Overall, auditing serves as a primary type of detective control used within a secure environment.
The frequency of an IT infrastructure security audit or security review is based on risk.
An organisation determines whether sufficient risk exists to warrant the expense & interruption of a security audit.
The degree of risk also affects how often an audit is performed. It is important to clearly define and adhere to the frequency of audit reviews.
Understand that auditing is an aspect of due care
Security audits & effectiveness reviews are key elements in displaying due care.
Senior management must enforce compliance with regular periodic security reviews, or they will likely be held accountable & liable for any asset losses that occur.
Understand the need to control access to audit reports
Audit reports typically address common concepts such as the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit.
They often include other details specific to the environment and can include sensitive information such as problems, standards, causes & recommendations.
Audit reports that contain sensitive information should be assigned a classification label and handled appropriately.
Only people with sufficient privilege should have access to them.
An audit report can be prepared in various versions for different target audiences to include only the details needed by a specific audience. For example, senior security administrators might have a report with all the relevant details, whereas a report for executives would provide only high-level information.
Understand access review & user entitlement audits
An access review audit ensures that object access & account management practices support the security policy.
User entitlement audits ensure that the principle of least privilege is followed and often focus on privileged accounts.
Audit access controls
Regular reviews and audits of access control processes help assess the effectiveness of access controls.
For example, auditing can track logon successes & failures of any account.
An IDS can monitor these logs and easily identify attacks and notify administrators.
Who is the intended audience for a security assessment report?
(a) Management (b) Security auditor (c) Security professional (d) Customers
Answer: (a)
Explanation: Security assessment reports should be addressed to the organisation’s management. For this reason, they should be written in plain English and avoid technical jargon.
Beth would like to run an nmap scan against all of the systems on her organisation’s private network. These include systems in the 10.0.0.0 private address space. She would like to scan this entire private address space because she is not certain what subnets are used. What network address should Beth specify as the target of her scan?
Explanation: The use of an 8-bit subnet mask means that the first octet of the IP address represents the network address. In this case, that means 10.0.0.0/8 will scan any IP address beginning with “10.”
What type of network discovery scan only follows the first two steps of the TCP handshake?
Explanation: The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.
What information security management task ensures that the organisation’s data protection requirements are met effectively?
Explanation: The backup verification process ensures that backups are running properly and thus meeting the organisation’s data protection objectives.
An organisation ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following?
(a) Principle of least permission (b) Separation of duties (c) Need-to-know (d) Role Based Access Control
Answer: (c)
Explanation: Need-to-know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights & permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn’t control all the elements of a process. Role Based Access Control (RBAC) grants access to resources based on a role.
What is a primary benefit of job rotation & separation of duties policies?
Explanation: Job rotation and separation of duties polices help prevent fraud. Collusion is an agreement among multiple persons to perform some unauthorised or illegal actions, and implementing these policies doesn’t prevent collusion, nor does it encourage employees to collude against an organisation. They help deter and prevent incidents, but they do not correct them.
While troubleshooting a network problem, a technician realised the problem could be resolved by opening a port on a firewall. The technician opened the port and verified the system was now working. However, an attacker accessed this port and launched a successful attack. What could have prevented this problem?
An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organisation?
(a) Read (b) Modify (c) Full access (d) No access
Answer: (d)
Explanation: The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job, and the question doesn’t indicate that new users need any access to the database. Read, modify and full access all grant some user some level of access, which violates the principle of least privilege.
Which of the following can be an effective method of configuration management using a baseline?
Explanation: Images can be an effective config mgmt method using a baseline. Imaging ensures that systems are deployed with the same, known config. Change mgmt processes help to identify vulnerabilities, and patch mgmt processes help to ensure that systems are kept up-to-date.
Understand need-to-know and the principle of least privilege
Need-to-know and the principle of least privilege are two standard IT security principles implemented in secure networks.
They limit access to data & systems so that users and other subjects have access only to what they require.
This limited access helps prevent security incidents, and helps limit the scope of incidents when they do occur.
When these principles are not followed, security incidents result in far greater damage to an organisation.
Understand separation of duties & job rotation
Separation of duties is a basic security principle that ensures that no single person can control all the elements of a critical function or system.
With job rotation, employees are rotated into different jobs, or tasks are assigned to different employees
Collusion is an agreement among multiple persons to perform some unauthorised or illegal actions.
Implementing these policies helps prevent fraud by limiting actions individuals can do without colluding with others.
Understand the importance of monitoring privileged operations
Privileged entities are trusted, but they can abuse their privileges. Because of this, it’s important to monitor all assignment of privileges, and the use of privileged operations.
The goal is to ensure that trusted employees do not abuse the special privileges they are granted.
Monitoring these operations can also detect many attacks because attackers commonly use special privileges during an attack.
Understand the information lifecycle
Data needs to be protected throughout its entire lifecycle.
This starts by properly classifying & marking data.
It also includes properly handling, storing & destroying data.
Understand SLAs
Organisations use service-level agreements (SLAs) with outside entities such as vendors.
They stipulate performance expectations such as maximum downtimes, and often include penalties if the vendor doesn’t meet expectations.
Understand secure provisioning concepts
Secure provisioning of resources includes ensuring that resources are deployed in a secure manner and are maintained in a secure manner throughout their lifecycles.
As an example, desktop PCs can be deployed using a secure image.
Understand virtual assets
Virtual assets include VMs, VDI, SDN and virtual SANs.
Hypervisors are the primary software component that manages virtual assets, but hypervisors also provide attackers with an additional target.
It’s important to keep physical servers hosting your virtual assets up-to-date with appropriate patches for the OS & the hypervisor.
Additionally, all VMs must be kept up-to-date.
Recognise security issues with cloud-based assets
Cloud-based assets include any resources accessed via the cloud.
Storing data in the cloud increases the risk so additional steps may be necessary to protect the data, depending on its value.
When leasing cloud-based services, you must understand who is responsible for maintenance & security.
The cloud service provider provides the least amount of maintenance & security in the IaaS model.
Explain configuration & change control management
Many outages & incidents can be prevented with effective configuration & change management programs.
Configuration management ensures that systems are configured similarly and the configurations of systems are known and documented.
Baselining ensures that systems are deployed with a common baseline or starting point, and imaging is a common baselining method.
Change management helps reduce outages or weakened security from unauthorised changes. A change management process requires changes to be requested, approved, tested & documented.
Versioning uses a labelling or numbering system to track changes in updated versions of software.
Understand patch management
Patch management ensures that systems are kept up-to-date with current patches.
You should know that an effective patch management program will evaluate, test, approve & deploy patches.
Additionally, be aware that system audits verify the deployment of approved patches to systems.
Patch management is often intertwined with change & configuration management to ensure that documentation reflects the changes.
When an organisation does not have an effective patch management program, it will often experience outages and incidents from known issues that could have been prevented.
Explain vulnerability management
Vulnerability management includes routine vulnerability scans & periodic vulnerability assessments.
Vulnerability scanners can detect known security vulnerabilities & weaknesses such as the absence of patches or weak passwords.
They generate reports that indicate the technical vulnerabilities of a system and are an effective check for a patch management program.
Vulnerability assessments extend beyond just technical scans, and can include reviews and audits to detect vulnerabilities.
Understand the importance of security assessment & testing programs
Security assessment & testing programs provide an important mechanism for validating the ongoing effectiveness of security controls.
They include a variety of tools, including vulnerability assessments, penetration tests, software testing, audits & security management tasks designed to validate controls.
Every organisation should have a security assessment & testing program defined and operational.
Vulnerability assessments use automated tools to search for known vulnerabilities in systems, applications & networks.
These flaws (which may include missing patches, misconfigurations or faulty code) expose the organisation to security risks.
Penetration tests also use these same tools but supplement them with attack techniques where an assessor attempts to exploit vulnerabilities and gain access to the system.
Perform software testing to validate code moving into production
Software testing techniques verify that code functions as designed and does not contain security flaws.
Code review uses a peer review process to formally/informally validate code before deploying it in production.
Interface testing assesses the interactions between components and users with API testing, user interface testing and physical interface testing.
Understand the difference between static & dynamic software testing
Static software testing techniques, such as code reviews, evaluate the security of software without running it, by analysing either the source code or the compiled application.
Dynamic testing evaluates the security of software in a runtime environment and is often the only option for organisations deploying applications written by someone else.
Explain the concept of fuzzing
Fuzzing uses modified inputs to test software performance under unexpected circumstances.
Mutation fuzzing modifies known inputs to generate synthetic inputs that may trigger unexpected behaviour.
Generational fuzzing develops inputs based on models of expected inputs to perform the same task.
Perform security management tasks to provide oversight to the information security program
Security managers must perform a variety of activities to retain proper oversight of the information security program.
Log reviews, particularly for any administrator activities, ensure that systems are not misused.
Account management reviews ensure that only authorised users retain access to information systems.
Backup verification ensures that the organisation’s data protection process is functioning properly.
Key performance & risk indicators provide a high-level view of security program effectiveness.
Conduct or facilitate internal & third-party audits
Security audits occur when a third party performs an assessment of the security controls protecting an organisation’s internal staff, and are intended for management use.
External audits are performed by a third-party audit firm and are generally intended for the organisation’s governing body.
My CISSP Notes 