1. 2020 CISSP MENTOR
PROGRAM
May 18, 2020
-----------
Class 9 – May 18, 2020
Instructor:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
2. CISSP® MENTOR PROGRAM – SESSION NINE
1
FRSECURE CISSP MENTOR PROGRAM LIVE
STREAM
#MissionBeforeMoney
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
THANK YOU!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
3. • New schedule is as follows, and is updated on the website (https://frsecure.com/cissp-mentor-
program/ )
• 5/25 – No Class
• 5/27 – Domain 7 Security Operations (con’t)
• 6/1 - Finishing Domain 8: Software Development Security
• CISSP Exam Final Preparation & Practice Testing
• 6/3 - CISSP Exam Final Preparation & Practice Testing
SCHEDULING UPDATE
Due to Memorial day things are getting pushed back.
2FRSECURE.COM/CISSP-MENTOR-PROGRAM
4. Another beautiful rainy weekend in Minnesota! Makes it
harder easier to study?
• Check-in.
• How many have read Chapter 1 - 6?
• Questions?
CISSP® MENTOR PROGRAM – SESSION NINE
3
WELCOME BACK!
Back to the grind I suppose…
Only 99 slides tonight. We’ll fly through Chapter 7 tonight and
make good progress into Chapter 8.
We’ve made it through some of the toughest parts already.
FRSECURE.COM/CISSP-MENTOR-PROGRAM
5. 1. What technique would lower the False Accept Rate
(FAR) and raise the False Reject Rate (FRR) in a
fingerprint scanning system?
A. Decrease the amount of minutiae that is verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time
CISSP® MENTOR PROGRAM – SESSION NINE
4
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
6. 1. What technique would raise the False Accept Rate
(FAR) and Lower the False Reject Rate (FRR) in a
fingerprint scanning system?
A. Decrease the amount of minutiae that is verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time
CISSP® MENTOR PROGRAM – SESSION NINE
5
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
7. 2. A user attempts to view data that they do not have a
business requirement to view and are blocked, this is an
example of what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties
CISSP® MENTOR PROGRAM – SESSION NINE
6
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
8. 2. A policy that states a user must have a business
requirement to view data before attempting to do so is
an example of enforcing what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties
CISSP® MENTOR PROGRAM – SESSION NINE
7
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
9. 3. Server A trusts server B. Server B trusts Server C. Server
A therefore trusts server C. What term describes this
trust relationship?
A. Domain trust
B. Forest trust
C. Nontransitive trust
D. Transitive trust
CISSP® MENTOR PROGRAM – SESSION NINE
8
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
10. 3. Server A trusts server B. Server B trusts Server C. Server
A therefore trusts server C. What term describes this
trust relationship?
A. Domain trust
B. Forest trust
C. Nontransitive trust
D. Transitive trust
CISSP® MENTOR PROGRAM – SESSION NINE
9
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
11. 4. What protocol provides a common open protocol for
interfacing and querying directory service information
provided by network operating systems, using port 636
and 3269 via TCP?
A. CHAP
B. LDAP
C. PAP
D. RADIUS
CISSP® MENTOR PROGRAM – SESSION NINE
10
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
12. 4. What protocol provides a common open protocol for
interfacing and querying directory service information
provided by network operating systems, using port 636
and 3269 via TCP?
A. CHAP
B. LDAP
C. PAP
D. RADIUS
CISSP® MENTOR PROGRAM – SESSION NINE
11
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
13. 5. Within Kerberos, which part is the single point of
failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
CISSP® MENTOR PROGRAM – SESSION NINE
12
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
14. 5. Within Kerberos, which part is the single point of
failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
CISSP® MENTOR PROGRAM – SESSION NINE
13
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
15. 6. A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. False Accept Rate (FAR)
D. False Reject Rate (FRR)
CISSP® MENTOR PROGRAM – SESSION NINE
14
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
16. 6. A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. False Accept Rate (FAR)
D. False Reject Rate (FRR)
CISSP® MENTOR PROGRAM – SESSION NINE
15
QUIZ…
Questions, questions, questions…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
17. CISSP® MENTOR PROGRAM – SESSION NINE
16
LET’S DO THIS!
And here we go again…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
18. (Designing, Performing, and Analyzing Security
Testing)
• Assessing Access Control
• Software Testing Methods
CISSP® MENTOR PROGRAM – SESSION NINE
17
WHAT ARE WE GOING TO COVER?
Agenda – Domain 6: Security Assessment and Testing
Only two objectives?! Piece of cake.
Starting on page 329 this evening
FRSECURE.COM/CISSP-MENTOR-PROGRAM
19. Unique Terms and Definitions
• Dynamic Testing – Tests code while executing it
• Fuzzing – A type of black box testing that submits random,
malformed data as inputs into software programs to determine if
they will crash
• Penetration Testing – Authorized attempt to break into an
organization’s physical or electronic perimeter (and sometimes
both)
• Static Testing – Tests code passively: the code is not running.
• Synthetic Transactions – Also called synthetic monitoring:
involves building scripts or tools that simulate activities normally
performed in an application
CISSP® MENTOR PROGRAM – SESSION NINE
18
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
20. Assessment and testing are critical.
• Accurately assess real-world security.
• How do you know where to start, unless you’ve
assessed where you are?
• Overall security assessments – including various
controls & testing methods.
• Testing software; static and dynamic
CISSP® MENTOR PROGRAM – SESSION NINE
19
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
21. Assessing Access Control
• First, determine scope!
• What are we testing?
• Why are we testing it?
• Testing with narrow(er) scope include penetration tests
(“pentests”), vulnerability assessments, and security audits.
• Broad scope assessments often include narrow scope testing.
CISSP® MENTOR PROGRAM – SESSION NINE
20
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
22. Penetration Testing
• Lots of different types of penetration tests, depending on the
what and why (and a little how).
• Network (Internet)
• Network (internal or DMZ)
• War dialing
• Wireless
• Physical (attempt to gain entrance into a facility or room)
• Simulate client-side attacks, server-side attacks, Web application
attacks, etc.
CISSP® MENTOR PROGRAM – SESSION NINE
21
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
23. Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called
crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with
malicious intent, and may violate the confidentiality, integrity, or availability
of organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better
understanding and ethically disclose vulnerabilities to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
CISSP® MENTOR PROGRAM – SESSION NINE
22
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
24. Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called
crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with
malicious intent, and may violate the confidentiality, integrity, or availability
of organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better
understanding and ethically disclose vulnerabilities to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
CISSP® MENTOR PROGRAM – SESSION NINE
23
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
25. Penetration Testing - Black Hats and White Hats
• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to
bring the weakness to the attention of the owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
CISSP® MENTOR PROGRAM – SESSION NINE
24
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
26. Penetration Testing - Black Hats and White Hats
• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to
bring the weakness to the attention of the owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
CISSP® MENTOR PROGRAM – SESSION NINE
25
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
27. Penetration Testing
• War dialing uses modem to dial a series of phone numbers,
looking for an answering modem carrier tone (the penetration
tester then attempts to access the answering system); the name
derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security
controls
• May be used in combination with many types of attacks, especially client-
side attacks or physical tests
• An example of a social engineering attack combined with a client-side
attack is emailing malware with a Subject line of “Category 5 Hurricane is
about to hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into
a building)
CISSP® MENTOR PROGRAM – SESSION NINE
26
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
28. Penetration Testing
• War dialing uses modem to dial a series of phone numbers,
looking for an answering modem carrier tone (the penetration
tester then attempts to access the answering system); the name
derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security
controls
• May be used in combination with many types of attacks, especially client-
side attacks or physical tests
• An example of a social engineering attack combined with a client-side
attack is emailing malware with a Subject line of “Category 5 Hurricane is
about to hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into
a building)
CISSP® MENTOR PROGRAM – SESSION NINE
27
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
29. Penetration Testing
• A zero-knowledge (also called black box) test is “blind”; the
penetration tester begins with no external or trusted information,
and begins the attack with public information only
• A full-knowledge test (also called crystal-box) provides internal
information to the penetration tester, including network
diagrams, policies and procedures, and sometimes reports from
previous penetration testers
• Partial-knowledge tests are in between zero and full knowledge:
the penetration tester receives some limited trusted information
• Most penetration tests have a scope that includes a limitation on
the time spent conducting the test
CISSP® MENTOR PROGRAM – SESSION NINE
28
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
30. Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
CISSP® MENTOR PROGRAM – SESSION NINE
29
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
31. Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
CISSP® MENTOR PROGRAM – SESSION NINE
30
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
32. Penetration Testing Tools and Methodology
• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs
of intrusion), and frequently violate system integrity by installing
back doors (in order to maintain access)
CISSP® MENTOR PROGRAM – SESSION NINE
31
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
33. Penetration Testing Tools and Methodology
• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs
of intrusion), and frequently violate system integrity by installing
back doors (in order to maintain access)
CISSP® MENTOR PROGRAM – SESSION NINE
32
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
34. Assuring Confidentiality, Data Integrity, and System
Integrity
• Penetration testers must ensure the confidentiality of any
sensitive data that is accessed during the test
• Testers will often request that a dummy file containing no
regulated or sensitive data (sometimes called a flag) be placed in
the same area of the system as the credit card data, and
protected with the same permissions
• If the tester can read and/or write to that file, then they prove
they could have done the same to the credit card data
• Penetration testers must be sure to ensure the system integrity
and data integrity of their client’s systems
• The risk of encountering signs of a previous or current
successful malicious attack (discuss this before starting a test)
CISSP® MENTOR PROGRAM – SESSION NINE
33
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
35. Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of
patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
CISSP® MENTOR PROGRAM – SESSION NINE
34
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
36. Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of
patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
CISSP® MENTOR PROGRAM – SESSION NINE
35
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
37. Security Assessments
• A holistic approach to assessing the effectiveness of
access control
• Broad scope
• Security assessments view many controls across
multiple domains, and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative
controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits
CISSP® MENTOR PROGRAM – SESSION NINE
36
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
38. Security Assessments
• Key words… “assessing the effectiveness”
• Where there are gaps in control (weakness/vulnerability), what
are the applicable threats?
• Vulnerabilities + Threats = Likelihoods & Impacts = RISK
• FRSecure specializes in assessments – FISA™ and FISASCORE®
CISSP® MENTOR PROGRAM – SESSION NINE
37
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
39. Security Assessments
• Remember our definition of information security?
• Administrative Controls – policies, procedures,
training & awareness, etc.
• Physical Controls – the things we can touch; locks,
cameras, etc.
• Technical Controls – the effectiveness of the
technology we employ to protect assets.
CISSP® MENTOR PROGRAM – SESSION NINE
38
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
40. Security Assessments
• FRSecure specializes in assessments – S2Org™ powered by
S2Score™ is at our core.
CISSP® MENTOR PROGRAM – SESSION NINE
39
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
41. Internal and 3rd-Party Audits
• Internal audit
• Structured audits – external audience, validate compliance,
etc.
• Unstructured audits – internal audience, improve security,
etc.
• 3rd-Party audits
• Experts (hopefully)
• Adds credibility
• Teach
CISSP® MENTOR PROGRAM – SESSION NINE
40
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
42. Log Reviews - Security Audit Logs
• Reviewing security audit logs within an IT system is one of the
easiest ways to verify that access control mechanisms are
performing adequately
• Reviewing audit logs is primarily a detective control
• Remember; we cannot prevent all bad things from happening, so
we must be able to detect and respond. – NOT risk elimination,
but risk management.
CISSP® MENTOR PROGRAM – SESSION NINE
41
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
43. Log Reviews - Security Audit Logs
• According to NIST Special Publication 800-92
(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-
92.pdf), the following log types should be collected:
• Network Security Software/Hardware:
• Antivirus logs
• IDS/IPS logs
• Remote Access Software (such as VPN logs)
• Web proxy
• Vulnerability management
• Authentication servers
• Routers and firewalls
CISSP® MENTOR PROGRAM – SESSION NINE
42
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
44. Security Audit Logs – Centralized Logging
• Assists in log retention (sufficient for legal/regulatory
compliance and investigation)
• Assists in log protection (integrity & availability) –
attackers delete logs, destroying evidence.
• SIEM
• Log protection
• Log aggregation
• Log correlation
• Dashboard reporting
CISSP® MENTOR PROGRAM – SESSION NINE
43
LECTURE
Agenda – Domain 6: Security Assessment and Testing
SIEM isn’t plug and play.
FRSECURE.COM/CISSP-MENTOR-PROGRAM
45. Software Testing Methods
• Static testing tests the code passively: the code is not running. This
includes walkthroughs, syntax checking, and code reviews.
• Dynamic testing tests the code while executing it.
• White box software testing gives the tester access to program source
code, data structures, variables, etc.
• Black box testing gives the tester no internal details: the software is
treated as a black box that receives inputs.
• Traceability Matrix (sometimes called a Requirements Traceability
Matrix, or RTM) can be used to map customer’s requirements to the
software testing plan: it “traces” the “requirements,” and ensures that
they are being met.
• Fuzzing (also called fuzz testing) is a type of black box testing that
enters random, malformed data as inputs into software programs to
determine if they will crash.
• Combinatorial software testing is a black-box testing method that seeks
to identify and test all unique combinations of software inputs.
CISSP® MENTOR PROGRAM – SESSION NINE
44
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
46. Software Testing Methods
• Static testing tests the code passively: the code is not running.
This includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the
source code, and in the other cases, some form of the object
code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal
ysis)
CISSP® MENTOR PROGRAM – SESSION NINE
45
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
47. Software Testing Methods
• Static testing tests the code passively: the code is not running.
This includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the
source code, and in the other cases, some form of the object
code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal
ysis)
CISSP® MENTOR PROGRAM – SESSION NINE
46
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
48. Software Testing Methods
• Traceability Matrix (or
Requirements Traceability
Matrix or RTM)
• Map customer
requirements to the
software testing plan.
CISSP® MENTOR PROGRAM – SESSION NINE
47
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
49. Software Testing Levels
• Synthetic Transactions (aka synthetic
monitoring):
• Scripts and/or tools to simulate “normal”
activities.
• Establish baselines and performance metrics
(usually)
CISSP® MENTOR PROGRAM – SESSION NINE
48
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
50. Software Testing Levels
• Unit Testing: Low-level tests of software components, such as
functions, procedures or objects
• Installation Testing: Testing software as it is installed and first
operated
• Integration Testing: Testing multiple software components as
they are combined into a working system. Subsets may be
tested, or Big Bang integration testing tests all integrated
software components
• Regression Testing: Testing software after updates,
modifications, or patches
• Acceptance Testing: testing to ensure the software meets the
customer’s operational requirements. When this testing is done
directly by the customer, it is called User Acceptance Testing.
CISSP® MENTOR PROGRAM – SESSION NINE
49
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
51. Software Testing Levels
Fuzzing
• Black box testing that enters random, malformed data as inputs
into software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible
buffer overflows
• Typically automated, repeatedly presenting random input strings
as command line switches, environment variables, and program
inputs attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
CISSP® MENTOR PROGRAM – SESSION NINE
50
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
52. Software Testing Levels
Fuzzing
• Black box testing that enters random, malformed data as inputs
into software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible
buffer overflows
• Typically automated, repeatedly presenting random input strings
as command line switches, environment variables, and program
inputs attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
CISSP® MENTOR PROGRAM – SESSION NINE
51
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
53. Other Software Testing Terms
• Misuse Case Testing - derived from and is the inverse of use
case testing; describes the process of executing a malicious act
against a system, while use case can be used to describe any
action taken by the system
• Test Coverage Analysis
• Interface Testing – testing of all interfaces exposed by the
application.
• Combinatorial software testing - a black-box testing method that
seeks to identify and test all unique combinations of software
inputs.
CISSP® MENTOR PROGRAM – SESSION NINE
52
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
54. And now we’re done…
CISSP® MENTOR PROGRAM – SESSION NINE
53
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
55. And now we’re done…
Or are we?!
CISSP® MENTOR PROGRAM – SESSION NINE
54
LECTURE
Agenda – Domain 6: Security Assessment and Testing
FRSECURE.COM/CISSP-MENTOR-PROGRAM
56. And now we’re done…
Or are we?!
CISSP® MENTOR PROGRAM – SESSION NINE
55
LECTURE
Agenda – Domain 6: Security Assessment and Testing
Let’s get a jump start on Domain 7: Security Operations.
FRSECURE.COM/CISSP-MENTOR-PROGRAM
57. And now we’re done…
Or are we?!
CISSP® MENTOR PROGRAM – SESSION NINE
56
LECTURE
Agenda – Domain 6: Security Assessment and Testing
Let’s get a jump start on Domain 7: Security Operations.
FRSECURE.COM/CISSP-MENTOR-PROGRAM
58. Domain #7: Security Operations (a lot of them…)
• Administrative Security
• Forensics
• Incident Response Management
• Operational Preventive and Detective Controls
• Asset Management
• …
CISSP® MENTOR PROGRAM – SESSION NINE
57
LECTURE
The next domain…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
59. Domain #7: Security Operations (a lot of them…)
• Continuity of Operations
• BCP and DRP Overview and Process
• Developing a BCP/DRP
• Backups and Availability
• DRP Testing, Training and Awareness
• Continued BCP/DRP Maintenance
• Specific BCP/DRP Frameworks
CISSP® MENTOR PROGRAM – SESSION NINE
58
LECTURE
The next domain…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
60. Unique Terms and Definitions
• Business Continuity Plan (BCP)—a long-term plan to ensure the
continuity of business operations
• Collusion—An agreement between two or more individuals to
subvert the security of a system
• Continuity of Operations Plan (COOP)—a plan to maintain
operations during a disaster.
• Disaster—any disruptive event that interrupts normal system
operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover from
a disruptive event
CISSP® MENTOR PROGRAM – SESSION NINE
59
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
61. Unique Terms and Definitions
• Mean Time Between Failures (MTBF)—quantifies how long a new
or repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to
recover a failed system
• Mirroring—Complete duplication of data to another disk, used by
some levels of RAID.
• Redundant Array of Inexpensive Disks (RAID)—A method of using
multiple disk drives to achieve greater data reliability, greater
speed, or both
• Striping—Spreading data writes across multiple disks to achieve
performance gains, used by some levels of RAID
CISSP® MENTOR PROGRAM – SESSION NINE
60
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
62. Administrative Security
• Administrative Security provides the means to control people's
operational access to data
Least Privilege or Minimum Necessary Access
• Dictates that persons have no more than the access that is
strictly required for the performance of their duties
• May also be referred to as the principle of minimum necessary
access
• Discretionary Access Control (DAC) – most often applicable
CISSP® MENTOR PROGRAM – SESSION NINE
61
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
63. Need to know
• Mandatory Access Control (MAC)
• Access determination is based upon clearance levels of subjects
and classification levels of objects
• An extension to the principle of least privilege in MAC
environments is the concept of compartmentalization:
• A method for enforcing need to know goes beyond the reliance
upon clearance level and necessitates simply that someone
requires access to information.
CISSP® MENTOR PROGRAM – SESSION NINE
62
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
64. Separation of Duties
• Prescribes that multiple people are required to complete critical
or sensitive transactions
• Goal of separation of duties is to ensure that in order for
someone to be able to abuse their access to sensitive data or
transactions; they must convince another party to act in concert
• Collusion is the term used for the two parties conspiring to
undermine the security of the transaction
CISSP® MENTOR PROGRAM – SESSION NINE
63
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
65. Rotation of Duties/Job Rotation
• Also known as job rotation or rotation of responsibilities
• Provides a means to help mitigate the risk associated with any
one individual having too many privileges
• Requires that critical functions or responsibilities are not
continuously performed by the same single person without
interruption
• “hit by a bus” or “win the lottery” scenario
Exam Warning: Though job or responsibility rotation is an important control,
this, like many other controls, is often compared against the cost of
implementing the control. Many organizations will opt for not implementing
rotation of duties because of the cost associated with implementation. For
the exam, be certain to appreciate that cost is always a consideration, and
can trump the implementation of some controls.
CISSP® MENTOR PROGRAM – SESSION NINE
64
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
66. Mandatory Leave/Forced Vacation
• Also known as forced vacation
• Can identify areas where depth of coverage is lacking
• Can also help discover fraudulent or suspicious behavior
• Knowledge that mandatory leave is a possibility might deter
some individuals from engaging in the fraudulent behavior in the
first place
CISSP® MENTOR PROGRAM – SESSION NINE
65
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
67. Non-Disclosure Agreement (NDA)
• A work-related contractual agreement that ensures that, prior to
being given access to sensitive information or data, an individual
or organization appreciates their legal responsibility to maintain
the confidentiality of sensitive information.
• Often signed by job candidates before they are hired, as well as
consultants or contractors
• Largely a directive control
CISSP® MENTOR PROGRAM – SESSION NINE
66
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
68. Background Checks
• Also known as background investigations or preemployment
screening
• Majority of background investigations are performed as part of a
preemployment screening process
• The sensitivity of the position being filled or data to which the
individual will have access strongly determines the degree to
which this information is scrutinized and the depth to which the
investigation will report
• Ongoing, or postemployment, investigations seek to determine
whether the individual continues to be worthy of the trust
required of their position
• Background checks performed in advance of employment serve
as a preventive control while ongoing repeat background checks
constitute a detective control and possibly a deterrent.
CISSP® MENTOR PROGRAM – SESSION NINE
67
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
69. Privilege Monitoring
• Heightened privileges require both greater scrutiny and more
thoughtful controls
• Some of the job functions that warrant greater scrutiny include:
account creation/modification/deletion, system reboots, data
backup, data restoration, source code access, audit log access,
security configuration capabilities, etc.
CISSP® MENTOR PROGRAM – SESSION NINE
68
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
70. Digital Forensics
• Provides a formal approach to dealing with investigations and
evidence with special consideration of the legal aspects of the
process
• Forensics is closely related to incident response
• Main distinction between forensics and incident response is
that forensics is evidence-centric and typically more closely
associated with crimes, while incident response is more
dedicated to identifying, containing, and recovering from
security incidents
• The forensic process must preserve the “crime scene” and the
evidence in order to prevent unintentionally violating the integrity
of either the data or the data's environment
CISSP® MENTOR PROGRAM – SESSION NINE
69
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
71. Digital Forensics
• Prevent unintentional modification of the system
• Antiforensics makes forensic investigation difficult or impossible
• One method is malware that is entirely memory-resident, and not
installed on the disk drive. If an investigator removes power from a
system with entirely memory-resident malware, all volatile memory
including RAM is lost, and evidence is destroyed.
• Valuable data is gathered during the live forensic capture
• The main source of forensic data typically comes from binary
images of secondary storage and portable storage devices such
as hard disk drives, USB flash drives, CDs, DVDs, and possibly
associated cellular phones and mp3 players
• A binary or bit stream image is used because an exact replica of
the original data is needed
• Normal backup software will only capture the active partitions of
a disk, and only that data which is marked as allocated
CISSP® MENTOR PROGRAM – SESSION NINE
70
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
72. Digital Forensics
The four types of data that exist:
• Allocated space—portions of a disk partition which are marked
as actively containing data.
• Unallocated space—portions of a disk partition that do not
contain active data. This includes memory that has never been
allocated, and previously allocated memory that has been
marked unallocated. If a file is deleted, the portions of the disk
that held the deleted file are marked as unallocated and available
for use.
CISSP® MENTOR PROGRAM – SESSION NINE
71
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
73. Digital Forensics
The four types of data that exist:
• Slack space—data is stored in specific size chunks known as
clusters. A cluster is the minimum size that can be allocated by a
file system. If a particular file, or final portion of a file, does not
require the use of the entire cluster then some extra space will
exist within the cluster. This leftover space is known as slack
space: it may contain old data, or can be used intentionally by
attackers to hide information.
• “Bad” blocks/clusters/sectors—hard disks routinely end up with
sectors that cannot be read due to some physical defect. The
sectors marked as bad will be ignored by the operating system
since no data could be read in those defective portions.
Attackers could intentionally mark sectors or clusters as being
bad in order to hide data within this portion of the disk.
CISSP® MENTOR PROGRAM – SESSION NINE
72
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
74. Digital Forensics
• Numerous tools that can be used to create the binary backup
including free tools such as dd and windd as well as commercial
tools such as Ghost (when run with specific nondefault switches
enabled), AccessData's FTK, or Guidance Software's EnCase.
• The general phases of the forensic process are:
• the identification of potential evidence;
• the acquisition of that evidence;
• analysis of the evidence;
• production of a report
• Hashing algorithms are used to verify the integrity of binary
images
• When possible, the original media should not be used for
analysis
CISSP® MENTOR PROGRAM – SESSION NINE
73
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
75. Live Forensics
• Forensics investigators have traditionally removed power from a
system, but the typical approach now is to gather volatile data.
Acquiring volatile data is called live forensics.
• The need for live forensics has grown tremendously due to non-
persistent tools that don’t write anything to disk
• One example from Metasploit…
CISSP® MENTOR PROGRAM – SESSION NINE
74
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
76. Live Forensics - Metasploit
• Popular free and open source exploitation framework
• Metasploit framework allows for the modularization of the
underlying components of an attack, which allows for exploit
developers to focus on their core competency without having to
expend energy on distribution or even developing a delivery,
targeting, and payload mechanism for their exploit
• Provides reusable components to limit extra work
• A payload is what Metasploit does after successfully exploiting a
target
CISSP® MENTOR PROGRAM – SESSION NINE
75
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
77. Live Forensics – Metasploit & Meterpreter
• One of the most powerful Metasploit payloads
• Can allow password hashes of a compromised computer being
dumped to an attacker's machine
• The password hashes can then be fed into a password cracker
• Or the password hashes might be capable of being used directly
in Metasploit's PSExec exploit module, which is an
implementation of functionality provided by Sysinternal's (now
owned by Microsoft) PSExec, but bolstered to support Pass the
Hash functionality.
Information on Microsoft's PSExec can be found at
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
Further details on Pass the Hash techniques can be found at
http://oss.coresecurity.com/projects/pshtoolkit.htm
CISSP® MENTOR PROGRAM – SESSION NINE
76
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
78. Live Forensics – Metasploit & Meterpreter
• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter
provides features such as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly
CISSP® MENTOR PROGRAM – SESSION NINE
77
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
79. Live Forensics – Metasploit & Meterpreter
• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter
provides features such as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly
CISSP® MENTOR PROGRAM – SESSION NINE
78
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
80. Live Forensics – Metasploit & Meterpreter
• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in
mind
• Meterpreter can provide almost all of the
functionalities listed above without creating a new file
on the victim system
• Runs entirely within the context of the exploited victim
process, and all information is stored in physical
memory rather than on the hard disk.
CISSP® MENTOR PROGRAM – SESSION NINE
79
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
81. Live Forensics – Metasploit & Meterpreter
• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in
mind
• Meterpreter can provide almost all of the
functionalities listed above without creating a new file
on the victim system
• Runs entirely within the context of the exploited victim
process, and all information is stored in physical
memory rather than on the hard disk.
CISSP® MENTOR PROGRAM – SESSION NINE
80
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
82. Live Forensics – Metasploit & Meterpreter
• If the forensic investigator removed the power supply
from the compromised machine, destroying volatile
memory: there would be little to no information for the
investigator to analyze
CISSP® MENTOR PROGRAM – SESSION NINE
81
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
83. Network Forensics
• The study of data in motion.
• Focus on gathering & preservation of evidence
for presentation in court.
• Email contents, online conversations, Web
activities, and file transfers.
CISSP® MENTOR PROGRAM – SESSION NINE
82
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
84. Forensic Software Analysis
• De-constructing malware and other software.
• Most use a VM to detonate malware, also
reverse engineering is used.
Embedded Device Forensics
• IoT devices and handheld devices
• Specialized tools are required.
CISSP® MENTOR PROGRAM – SESSION NINE
83
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
85. Electronic Discovery (eDISCOVERY)
• legal counsel gaining access to pertinent electronic
information during the pre-trial discovery phase of
civil legal proceedings
• seeks ESI, or electronically stored information
• ESI does not need to be conveniently accessible or
transferable
• Data Retention Policy (IMPORTANT)
• Legal/Regulatory reasons?
• Business reasons?
CISSP® MENTOR PROGRAM – SESSION NINE
84
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
86. Incident Response Management
• Every organization faces information security incidents
• Regimented and tested methodology for identifying and
responding to incidents is critical
• Computer Security Incident Response Team (CSIRT) is a term
used for the group that is tasked with monitoring, identifying, and
responding to security incidents
• Overall goal of the incident response plan is to allow the
organization to control the cost and damage associated with
incidents, and to make the recovery of impacted systems quicker
CISSP® MENTOR PROGRAM – SESSION NINE
85
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
87. Incident Response Management – Methodology
Different books and organizations may use different terms and
phases associated with incident response; this section will mirror
the terms associated with the examination.
Step 0 - Preparation
• Incidents are inventible.
• What is an event vs. an incident.
• Who does what, how will they do it, and when?
CISSP® MENTOR PROGRAM – SESSION NINE
86
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
88. Incident Response Management – Methodology
Different books and organizations may use different terms and
phases associated with incident response; this section will mirror
the terms associated with the examination.
Step 1 - Detection (what I can’t prevent, can I detect?)
• Events are analyzed in order to determine whether
these events might comprise a security incident
• Emphasis on detective controls
CISSP® MENTOR PROGRAM – SESSION NINE
87
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
89. Incident Response Management – Methodology
Step 2 - Containment (OK I’ve detected it, now what?)
• The point at which the incident response team
attempts to keep further damage from occurring
• Might include taking a system off the network,
isolating traffic, powering off the system, or other
items to control both the scope and severity of the
incident
• Typically where a binary (bit by bit) forensic backup is
made of systems involved in the incident
CISSP® MENTOR PROGRAM – SESSION NINE
88
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
90. Incident Response Management – Methodology
Step 3 - Eradication
• Involves the process of understanding the cause of
the incident so that the system can be reliably cleaned
and ultimately restored to operational status later in
the recovery phase
• The cause of the incident must be determined
BEFORE recovery
• Root cause analysis is key
CISSP® MENTOR PROGRAM – SESSION NINE
89
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
91. Incident Response Management – Methodology
Step 4 - Recovery
• Involves restoring the system or systems to
operational status
• Typically, the business unit responsible for the system
will dictate when the system will go back online
• Close monitoring of the system after it is returned to
production is necessary
CISSP® MENTOR PROGRAM – SESSION NINE
90
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
92. Incident Response Management – Methodology
Step 5 - Reporting
• Most likely to be neglected in immature incident
response programs
• If done right, this phase has the greatest potential to
effect a positive change in security posture
• Goal is to provide a final report on the incident, which
will be delivered to management
CISSP® MENTOR PROGRAM – SESSION NINE
91
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
94. Incident Response Management – Methodology
• Exam lists a 7-step lifecycle; book calls for 8-step
(adding “Preparation):
• 1. Preparation
• 2. Detection (aka Identification)
• 3. Response (aka Containment)
• 4. Mitigation (aka Eradication)
• 5. Reporting
• 6. Recovery
• 7. Remediation
• 8. Lessons Learned (aka Post-incident Activity, Post Mortem,
or Reporting)
CISSP® MENTOR PROGRAM – SESSION NINE
93
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
95. Incident Response Management – Methodology
1. Preparation
• training, writing incident response policies and
procedures, providing tools such as laptops with
sniffing software, crossover cables, original OS media,
removable drives, etc.
• Everything that you do to prepare for an incident
• Policy and procedures
• Incident handling checklist and other forms for
tracking
• Classification
• Impact
CISSP® MENTOR PROGRAM – SESSION NINE
94
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
96. Incident Response Management – Methodology
2. Detection (aka Identification)
• What are all of the inputs into my incident response process?
• Events à Incidents
3. Response (aka Containment)
• Step-by-step, depending upon classification & severity
• Forensic response? Protection of evidence, while containing
damage
• Start root cause analysis
CISSP® MENTOR PROGRAM – SESSION NINE
95
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
97. Incident Response Management – Methodology
4. Mitigation (aka Eradication)
• Root cause analysis completed (mostly/hopefully)
• Get rid of the bad things
5. Reporting
• Actually not really a step (happens throughout)
• More formal here; include incident responders (technical and
non-technical)
CISSP® MENTOR PROGRAM – SESSION NINE
96
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
98. Incident Response Management – Methodology
6. Recovery
• Restore systems and operations
• Increase monitoring
7. Remediation – broader in context
8. Lessons Learned (aka Post-incident Activity, Post
Mortem, or Reporting) – there’s always lessons
CISSP® MENTOR PROGRAM – SESSION NINE
97
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
99. We made it through Class 9!
For real. Much of this class was educational AND practical.
Please try to catch up in your reading.
• We left off on page 363 in the book.
• Wednesday (5/20) we’ll start again with “Operational
Preventive and Detective Controls”
• Come with questions!
Have a great evening, talk to you Wednesday!
CISSP® MENTOR PROGRAM – SESSION NINE
98
LECTURE
Domain #7: Security Operations
FRSECURE.COM/CISSP-MENTOR-PROGRAM
100. We made it through Class 9!
For real. Much of this class was educational AND practical.
Please try to catch up in your reading.
• We left off on page 363 in the book.
• Wednesday (5/20) we’ll start again with “Operational
Preventive and Detective Controls”
• Come with questions!
Have a great evening, talk to you Wednesday!
CISSP® MENTOR PROGRAM – SESSION NINE
99
LECTURE
Domain #7: Security Operations
Let’s do some more quiz questions!
After all, you’ll need to get used to it.
FRSECURE.COM/CISSP-MENTOR-PROGRAM