Mike Chapple

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide


Скачать книгу

Although loosely similar to change management, onboarding focuses more on ensuring compliance with existing security policies by the new member, rather than testing updates for an existing member. Static analysis is used to evaluate source code as a part of a secure development environment. Static analysis may be used as an evaluation tool in change management, but it is a tool, not the principle of security referenced in this scenario.

      38 D. The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate.

      39 A.. The most important security concern from this list of options in relation to a CSP is the data retention policy. The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it. The number of customers and what hardware is used are not significant security concerns in comparison to data retention. Whether the CSP offers MaaS, IDaaS, and SaaS is not as important as data retention, especially if these are not services your organization needs or wants. One of the keys to answering this question is to consider the range of CSP options, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and the type of organizations that are technically CSP SaaS but that we don't often think of as such (examples include Facebook, Google, and Amazon). These organizations absolutely have access to customer/user data, and thus, their data retention policies are of utmost concern (at least compared to the other options provided).

      40 AB, C, D. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. Server-side data validation is suited for protecting a system against input submitted by a malicious user. Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. File size optimization may be efficient but is not necessarily a secure coding technique. Using third-party software libraries may reduce workload to minimize the amount of new code to author, but third-party software libraries are a risk because they can introduce vulnerabilities, especially when closed source libraries are used. Thus, use of third-party software libraries is not a secure coding technique unless the security posture of the externally sourced code is verified, which was not mentioned as an answer option.

       THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

       Domain 1.0: Security and Risk Management1.2 Understand and apply security concepts1.2.1 Confidentiality, integrity, and availability, authenticity and nonrepudiation1.3 Evaluate and apply security governance principles1.3.1 Alignment of security function to business strategy, goals, mission, and objectives1.3.2 Organizational processes (e.g., acquisitions, divestitures, governance committees)1.3.3 Organizational roles and responsibilities1.3.4 Security control frameworks1.3.5 Due care/due diligence1.7 Develop, document, and implement security policy, standards, procedures, and guidelines1.11 Understand and apply threat modeling concepts and methodologies1.12 Apply Supply Chain Risk Management (SCRM) concepts1.12.1 Risks associated with hardware, software, and services1.12.2 Third-party assessment and monitoring1.12.3 Minimum security requirements1.12.4 Service level requirements

       Domain 3: Security Architecture and Engineering3.1 Research, implement and manage engineering processes using secure design principles3.1.1 Threat modeling3.1.3 Defense in depth

      We often hear how important security is, but we don't always understand why. Security is important because it helps to ensure that an organization is able to continue to exist and operate in spite of any attempts to steal its data or compromise its physical or logical elements. Security should be viewed as an element of business management rather than an IT concern. In fact, IT and security are different. Information technology (IT) or even information systems (IS) is the hardware and software that support the operations or functions of a business. Security is the business management tool that ensures the reliable and protected operation of IT/IS. Security exists to support the objectives, mission, and goals of the organization.

      Generally, a security framework should be adopted that provides a starting point for how to implement security. Once an initiation of security has been accomplished, then fine-tuning that security is accomplished through evaluation. There are three common types of security evaluation: risk assessment, vulnerability assessment, and penetration testing (these are covered in detail in Chapter 2 and Chapter 15, “Security Assessment and Testing”). Risk assessment is a process of identifying assets, threats, and vulnerabilities, and then using that information to calculate risk. Once risk is understood, it is used to guide the improvement of the existing security infrastructure. Vulnerability assessment uses automated tools to locate known security weaknesses, which can be addressed by adding in more defenses or adjusting the existing protections. Penetration testing uses trusted individuals to stress-test the security infrastructure to find issues that may not be discovered by the prior two means, with the goal of finding those concerns before an adversary takes advantage of them.

      Security should be legally defensible. The laws of your jurisdiction are the backstop of organizational security. When someone intrudes into your environment and breaches security, especially when such activities are illegal, then prosecution in court may be the only available response for compensation or closure. Also, many decisions made by an organization will have legal liability issues. If required to defend a security action in the courtroom, legally supported security will go a long way toward protecting your organization from facing large fines, penalties, or charges of negligence.