avatarHemant Patkar

Summary

The provided content offers a comprehensive overview of CISSP Domain 6, focusing on Security Assessment and Testing, with practical notes for passing the CISSP certification in 2024–25, including methods for log management, testing techniques, and penetration testing steps.

Abstract

The web content serves as a study guide for CISSP Domain 6, which encompasses Security Assessment and Testing. It outlines the objective of designing and validating assessment and audit strategies, conducting security control testing, collecting security process data, analyzing test outputs, and facilitating security audits. The text emphasizes the importance of log management in modern IT operations for enhanced visibility and security, detailing its key components, benefits, and challenges. It also covers the description of vulnerabilities using CVE, CVSS, and CCE, and discusses security integration throughout the development lifecycle, including various testing techniques and their significance for the CISSP exam. The content further elaborates on activities in the test environment, such as vulnerability assessments and penetration testing, and outlines the steps for effective penetration testing. Additionally, it explains different types of software testing, the tenets of InfoSecurity Continuous Monitoring (ISCM), and the distinctions between internal and third-party audits, as well as SOC reports. The article concludes with a brief overview for last-minute revision and provides links to related content for other CISSP domains.

Opinions

  • The author suggests that log management is crucial for real-time system monitoring, security threat detection, and compliance with regulatory standards.
  • The text conveys the opinion that early detection and mitigation of security vulnerabilities in the software development lifecycle can save time and resources.
  • The importance of understanding and applying various testing techniques, such as black-box, white-box, manual, and automated testing, is highlighted for the CISSP exam.
  • The content implies that penetration testing should be conducted in a structured manner, following a sequence of planning, discovery, attack, and reporting.
  • The author emphasizes the value of continuous security monitoring through ISCM for maintaining organizational asset visibility and vulnerability awareness.
  • The article advocates for the use of SOC reports as a means to demonstrate a service organization's commitment to security and compliance.
  • The recommendation of an AI service similar to ChatGPT Plus (GPT-4) but at a lower cost suggests the author's belief in the utility and cost-effectiveness of AI tools for learning and certification preparation.

CISSP: Domain 6 — Security Assessment and Testing: Easy Notes to Pass CISSP Certification in 2024–25

OBJECTIVE

DESIGN AND VALIDATE ASSESSMENT, TEST AND AUDIT STRATEGIES CONDUCT SECURTY CONTROL TESTING COLLECT SECURITY PROCESS DATA (TECHNICAL AND ADMIN) ANALYZE TEST OUTPUT AND GENERATE REPORT CONDUCT OR FACILITATE SECURITY AUDITS

Assessment = Process

Testing = Technique

Organization develops policy / plan Based on policy, Assessment is done Based on Assessment, Reports are produced

Internal Assessment — Inhouse Team

External Assessment — 3rd party audit firm

DESCRIBING VULNERABILITIES

A. CVE (Common Vulnerability and Exposure) — Provides a naming system for describing security vulnerabilities

Assigning code (signature) to each and every vulnerability

B. CVSS (Common Vulnerability Scoring System) — Provides a standardized scoring system for describing the severity of security vulnerabilities

Base Score — Vulnerabilities details Temporal Score — Vendor details for Vulnerabilities Environmental Score — What is Vulnerability impact in organization

Question exam — In CVSS based on which score you will take a Decision

Answer — Environmental Score

C. CCE (Common Config Enumeration) — Provides a naming system for system configuration issues

LOG MANAGEMENT

Process to

Log Management: Enhancing Visibility and Security

Log management is a crucial component of modern IT operations, providing insights, security, and compliance benefits.

1. What is Log Management?

  • Log management refers to the process of collecting, storing, and analyzing logs or records generated by various hardware and software systems.
  • Logs contain valuable information about system activities, errors, user interactions, and security events.

2. The Importance of Log Management:

  • Visibility: Logs offer a real-time and historical view of system performance and activities, aiding in troubleshooting and monitoring.
  • Security: Log analysis helps detect and mitigate security threats by identifying suspicious or anomalous behavior.
  • Compliance: Many regulatory standards, such as GDPR and HIPAA, require organizations to maintain and protect logs for auditing purposes.

3. Key Components of Log Management:

  • Log Collection: Automated gathering of logs from various sources, including servers, network devices, applications, and security systems.
  • Log Storage: Secure and scalable storage solutions are essential to retain logs for extended periods while ensuring data integrity.
  • Log Analysis: Advanced tools and algorithms are used to parse and interpret logs, turning raw data into actionable insights.
  • Alerting and Reporting: Automated alerts and reports notify administrators of critical events or issues in real-time.

4. Benefits of Effective Log Management:

  • Faster Troubleshooting: Rapid identification and resolution of issues, minimizing downtime and productivity loss.
  • Proactive Security: Early detection of security breaches and potential vulnerabilities before they escalate.
  • Historical Analysis: Historical logs enable trend analysis, helping organizations make informed decisions for future improvements.
  • Compliance Adherence: Meeting regulatory requirements by maintaining comprehensive log records.

5. Challenges in Log Management:

  • Volume: The sheer volume of logs generated can be overwhelming, necessitating scalable solutions.
  • Complexity: Logs come in various formats, making parsing and analysis challenging.
  • Security: Protecting log data from unauthorized access is crucial to maintain data integrity and privacy.

6. Best Practices:

  • Centralized Logging: Store logs in a central repository for easy access and analysis.
  • Regular Review: Consistently review logs to identify emerging issues or threats.
  • Automated Alerts: Set up automated alerts to respond promptly to critical events.
  • Data Retention Policies: Define policies for log retention to balance storage costs and compliance requirements.

SIMULATION

Synthetic Transmission Artificial Scenario Pre prod environment

Limitation od production / Operation Example — BOSON practice test (simulated)

SECURITY THROGHOUT DEVELOPMENT LIFE CYCLE

Fixing bugs and security vulnerabilities as early as possible Save COST and Save TIME

During Application Development

  1. SAST — (Static Source Code Analysis)
  • Analysis of application source code to finding vulnerabilities without application execution.
  • Access to Source Code

2. DAST — (Dynamic Application Testing)

  • Testing against running application.
  • NO Access to Source Code

3. RASP = SAAST + DAST

  • Real user application monitoring

TESTING TECHNIQUES (Very imp for exam)

Black-box testing vs. white-box testing Dynamic testing vs. static testing Manual testing vs. automated testing

ACTIVITIES IN TEST ENVIRONMENT

1)VA — Vulnerability Assessment 2) PT- Penetration Testing 3) OVERT or COVERT 4) Fuzzin

TESTING METHOD FACTORS (When Selecting Testing and Tools)

  1. Attack Surface — — — — — — → What and Where to Test
  2. Application Type — — — — — -> Behaviour
  3. Quality of Result — — — — —-> Output
  4. Supported Technology — — -> Supported Platform
  5. Performance/Resource utilization — →Compute Power

NEGATIVE & POSITIVE TESTING

  1. POSITIVE TESTING
  • System works as expected business use cases
  • Use Case Testing
  1. NEGATIVE TESTING
  • Ensures system can handle invalid use cases whether accidental / delibrately
  • Misuse Case Testing

PENETRATION TESTING (PT)

Penetration Test Steps ( EXAM IMP Sequence )

A. Planning ( Can be Overt/Covert )

  • Management Signed Off

B. Discovery

  • Information gathering and scanning.
  • Vulnerability Analysis
  • Which involves identifying and documenting information about the target •

C. Attack

  • Gaining Access, Escalating Privileges

D. Reporting

  • It occurs during the same timeline as Planning, Discovery, Attack Phase
  • The reporting phase occurs simultaneously with the other three phases of the penetration test (see Figure above). The development of the assessment plan, or ROE, occurs during the planning phase. Written logs are typically retained during the detection and assault phases, and system administrators or management may get frequent reports. Following the test, a report is often created to outline the vulnerabilities found, provide a risk assessment, and provide recommendations for mitigating the weaknesses found.

SOFTWARE TESTING TENETS

Type of Testing

A) Unit testing • Does a particular piece of code properly perform the task it is intended to? • Testing focuses on the early examination of sub-program functionality & ensures that functionally not visible at the system level is examined by testing.

B) Integration Testing • Does the application behave as expected when integrated and Communicating with other systems in the environment? •Testing focuses on the transfer of data and control across a program’s internal and external interface. External interfaces are those with other software ( including operating system software ), system hardware, and the users and can be described as communication links.

C) System Testing • This ensures that the application provides the required functionality and that the application is trustworthy as deployed in regard to security, privacy, performance, recovery, and usability.

D) Comprehensive Code Testing program • With an emphasis throughout the SW development lifecycle, can ensure that developed applications are deployed with minimal vulnerabilities.

E) Regression Testing • Provide assurance that a change has not created problems elsewhere in the software product. • Regression analysis is the determination of the impact of a change based on a review of the relevant documentation

F) Interface Testing • Checks components are in sync • Data Transfer happens per design • Control passes correctly

ISCM (INFOSECURITY CONTINOUS MONITORING)

Align fact of the organization including People, Process and Technology in place.

ISCM IMPLEMENTING STEP

Define an ISCM strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.

Establish an ISCM program determining metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.

Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting. Automate the collection, analysis, and reporting of data where possible.

Analyze the data collected and Report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.

Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.

Review and Update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities.

INTERNAL AND 3RD PARTY AUDIT

A. 1st Party Audit —-> Internal

B. 2nd Party Audit —> Audit of Supplier/Vendor

C. 3rd Party Audit —→Certification bodies(Independant Company ISO, RBI)

SAS 70

SOC REPORT COMPARISION

SOC 1 Report: “SOC 1 reports focus on a service organization’s internal controls relevant to financial reporting, providing assurance to clients and auditors.”

SOC 2 Report: “SOC 2 reports assess security, availability, processing integrity, confidentiality, and privacy controls, demonstrating a commitment to data protection and trustworthiness.”

SOC 3 Report: “SOC 3 reports are concise summaries of SOC 2 reports, designed for public consumption, highlighting a service organization’s commitment to security, privacy, and compliance.”

Review below brief explanation of Domain 6 for last minute overview — by Destination Certification

For Domain 5 click here

For Doman 7 click here

Cissp
Cybersecurity
Cissp Certification Cost
Cissp Course
Cissp Training
Recommended from ReadMedium
avatarLixin Zhang
Try Hack Me | CompTIA Pentest+ Path | Pentesting Fundamentals | Write up

Recently, I became interested in pentesting and discovered a dedicated path for CompTIA Pentest+ on THM. I decided to embark on this…

5 min read
avatarUmar Farouk
NIST has Changed the game again……

Some great news came out of the National Institute of Standards and Technology (NIST). They would be offering four introductory courses…

6 min read
avatarMohit Damke
Log Analysis Lab | With Splunk | By Mohit Damke

Log Analysis Lab | With Splunk | By Mohit Damke

6 min read
avatarMehedi Hasan
Nessus Vulnerability Scanner Project

Introduction

8 min read
avatarReggie Menacherry
2023 Survey Report: Top High-Paying IT Certifications and In-Demand Cybersecurity Certifications in…

CEH vs SEC+ vs OSCP

4 min read
avatarMr_Architekt
The Perfect Cybersecurity Project. Part 1/3.

Creating a Coffee Shop network architecture in GNS3 to make cybersecurity audits, risk and vulnerability assessment.

5 min read