花了点时间,把快速手册第二版更新的内容翻译了一下。补充和新增了不少知识点。
域1:安全及风险管理
Process for Attack Simulation and Threat Analysis(PASTA)
Stage I: Definition of the Objectives (DO) for the Analysis ofRisks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM)
Risk Management for Supply Chain
A supply chain is the concept that most computers, devices,networks, and systems are not built by a single entity.
供应链的概念是,大多数计算机、设备、网络和系统不是由单个实体建造的。
Onsite Assessment
现场评估
Document Exchange and Review
文件交换和审查
Process/Policy Review
过程/政策评估
Third Party Audit
第三方审计
• Personal Security policies and Procedures
• Separation of Duties: Preventive control (protects againstcollusion)
• Job Responsibilities: Access granted based on Least Privilege
• Job Rotation: Detective Control (Protects against Fraud)
• Candidate hiring and screening: Background check important
• Employment agreement and policies: Signing NDA and NCA
• On-boarding and termination process: IAM and UER
• Vendor, Consultant and Contractor Agreements and Controls:Contracts and SLA
• Compliance Policy Requirements: adhering to requirements(PCI-DSS)
• Privacy Policy requirement: Cannot monitor without consent
Awareness, Training & Education
• A prerequisite to security training is awareness. The goal ofcreating awareness is to bring security to the forefront and make it arecognized entity for users.
安全培训的先决条件是意识。创建意识的目标是将安全放在首位,并使其成为用户认可的实体。
• Training is teaching employees to perform their work tasks and tocomply with the security policy. Training is typically hosted by anorganization and is targeted to groups of employees with similar job functions.
培训是教员工完成他们的工作任务并遵守安全政策。培训通常是由一个组织主办的,目标群体是具有相似工作职能的员工。
• Education is a more detailed endeavor in which students/users learnmuch more than they actually need to know to perform their work tasks.(obtaining CISSP certification for promotion or better job)
教育是一个更详细的努力,学生/用户在其中学到的知识远远超过了他们完成工作任务所需要了解的知识。(获得CISSP认证以获得晋升或更好的职位)
域2:资产安全
Identify andClassify Assets
2.Defining Data and Asset classification
3.Determine data security controls
5.Handling Information and Assets
6. Data Protection Methods
1.Personally Identifiable Information
2.Protected Health Information
Understanding Data States
a.Protect using TLS 1.2, VPN etc.
使用TLS 1.2,VPN 等保护
a.Protect using AES 256, masking, tokenization etc.
使用AES 256,masking, tokenization等保护
a.Isolation of memory location where sensitive data is being processed.
对正在处理敏感数据的内存位置进行隔离。
Pseudonymization: Pseudonymization refers to the process ofusing pseudonyms to represent other data. It can be done to prevent the datafrom directly identifying an entity, such as a person. (e.g. Agent 007 forJames Bond)
假名化:假名化是指使用假名来表示其他数据的过程。它可以防止数据直接识别一个实体,比如一个人。(例如007特工:詹姆斯·邦德)
Anonymization: Anonymization is the process of removing allrelevant data so that it is impossible to identify the original subject orperson.
匿名化:匿名化是移除所有相关数据的过程,这样就无法识别原始的主体或人。
Data Masking: Data masking is a method of creating astructurally similar but inauthentic version of an organization's data thatcan be used for purposes such as software testing and user training.
数据屏蔽:数据屏蔽是一种创建组织数据的结构相似但不真实版本的方法,可以用于软件测试和用户培训等目的。
Security Baselines: Minimum set of security requirements that isneeded for an organization to protect its assets.
Not all security controls would be relevant to us.
• Scoping: Scoping refers toreviewing a list of baseline security controls and se lecting only thosecontrols that apply to the IT system you’re trying to protect. E.g. if a systemdoesn’t allow any two people to log on to it at the same time, there’s no needto apply a concurrent session control.
范围:范围指的是检查一个基线安全控制列表,并只设置那些应用于您试图保护的IT系统的控制。例如,如果一个系统不允许任何两个人同时登录,就没有必要应用并发会话控制。
• Tailoring: Tailoring refers tomodifying the list of security controls within a base line so that they alignwith the mission of the organization. E.g. Controls are needed for main officebut not on remote locations so remote locations could have compensatingcontrols.
裁剪:裁剪是指在基线内修改安全控制列表,以便它们与组织的使命保持一致。例如,主站点需要控制,但偏远地点不需要,因此偏远地点可以采用补偿控制。
Summary of Data classification process:
• Criteria are set for classifyingdata
• Data Owners are established foreach type of data.
• Required controls are selectedfor each classification.
• Baseline security standards areselected for the organization.
• Controls are scoped and tailored.
• Controls are applied andenforced.
• Access is granted and managed.
域3:安全工程
Quantum cryptography is the science of exploiting quantum mechanical properties toperform cryptographic tasks. The best-known example of quantum cryptography isquantum key distribution which offers an information-theoretically securesolution to the key exchange problem.
量子密码学是一门利用量子力学性质来完成密码任务的科学。量子密码最著名的例子是量子密钥分发,它为密钥交换问题提供了一种信息理论上安全的解决方案。
1.Quantum Key Distribution
2.Uses Quantum Bits (Qbits)
3. Prevents from Man in TheMiddle Attack. Photons change state even if observed.
可以防止中间人攻击。即使被观察到,光子也会改变状态。
Protection Ring:Organize codeand components in an operating system (as well as applications, utilities, orother code that runs under the operating system’s control) into concentricrings.
保护环:将操作系统中的代码和组件(以及应用程序、实用程序或在操作系统控制下运行的其他代码)组织成同心环。
a.Type 1 Hypervisor - Directly interacts with hardware. More secure
类型1 Hypervisor——直接与硬件交互。更安全的
b.Type2 Hypervisor - Less secure as OS introduces larger attack surface area
类型2Hypervisor——由于操作系统引入了更大的攻击表面积,安全性较低
Cloud Deployment Model云部署模型
An industrial control system (ICS) is a form ofcomputer-management device that controls industrial processes and machinesincluding manufacturing, fabrication etc.
工业控制系统(ICS)是一种计算机管理设备,用于控制工业过程和机器,包括制造、制造等。
Distributed Control System (DCS): It’s for large scaleindustries. Controls are distributed.
分布式控制系统(DCS) :适用于大型工业。控制是分布式的。
Programmable Logic Control (PLC): Focused on computers. E.g.Used in systems are assemblyline.
可编程逻辑控制(PLC):集中于计算机。用于系统的是装配线。
Supervisory Control and Data Acquisition: It can operate as astand-alone device, be networked together with other SCADA systems.
监控和数据采集:它可以作为一个独立的设备运行,与其他SCADA系统一起联网。
XSS (Persistent, Non-persistent,DOM based) {Input Validation}
XSS(持久的、非持久的、基于DOM的){输入验证}
SQL Injection {Input Validation,Limit Access Privileges, use stored procedures)
SQL注入{输入验证,限制访问权限,使用存储过程}
CSRF {Session authentication,terminate inactive sessions}
XML Exploitation: Falsifyinformation being sent to a visitor.
Broken Authentication:Vulnerabilities in authentication systems
Security Misconfiguration
Using Components with KnownVulnerabilities
Insufficient Logging and Monitoring
Embedded Devices: The Internet of Things (IoT) is anew subcategory or even a new class of smart devices that areInternet-connected in order to provide automation, remote control, or AIprocessing to traditional or new appliances or devices in a home or officesetting. The security issues related to IoT are about access and encryption.Best Practice is to isolate the IoT devices from primary network. (Homeland Webseries has a great example of IoT breach.)
e.g. Robotic surgery, car sensors, Smart home appliances.
嵌入式设备:物联网(IoT)是一个新的子类别,甚至是一个新的智能设备类别,这些设备通过互联网连接,为家庭或办公室中的传统或新型电器或设备提供自动化、远程控制或人工智能处理。与物联网相关的安全问题是访问和加密。最佳实践是将物联网设备与主网络隔离。(《国土安全》网络剧就是一个很好的物联网破坏的例子。)
域4:通信与网络安全
Baseband vs Broadband基带和宽带
1.Baseband technology can supportonly a single communication channel. Baseband is a form of digital signal.Ethernet is a baseband technology.
基带技术只能支持单一的通信通道。基带是数字信号的一种形式。以太网是一种基带技术。
2. Broadband technology can support multiplesimultaneous signals. Broadband is a form of analog signal. Cable television andcable modems, ISDN, DSL, T1, and T3 are examples of broadband technologies.
宽带技术可以支持多个同步信号。宽带是模拟信号的一种形式。有线电视和有线调制解调器、ISDN、DSL、T1和T3都是宽带技术的例子。
Broadcast, multicast, and unicast technologies determinehow many destinations a single transmission can reach:
广播、多播和单播技术决定了单个传输可以到达多少目的地:
1.Broadcast technology supportscommunications to all possible recipients.
2.Multicast technology supportscommunications to multiple specific recipients.
3. Unicast technology supports only a singlecommunication to a specific recipient.
SNMPV3: Simple Management Network Protocol is a standard protocol usedto interact with various network devices to obtain status information,performance data, statistics, and configuration details.
SNMP V3:简单管理网络协议是一个标准协议,用于与各种网络设备交互,以获取状态信息、性能数据、统计信息和配置细节。
ICMP:Internet Control Message Protocol is used to determine the health of a networkor a specific link.
ICMP:Internet控制消息协议用于确定网络或特定链接的运行状况。
5. DeepPacket Inspect Firewall
a. Deep packet inspection (DPI)firewalls is a filtering mechanism that operates typically at the applicationlayer in order to filter the payload contents of a communication rather thanonly on the header values.
深层封包检查(DPI)防火墙是一种过滤机制,通常在应用层操作,以过滤有效负载内容的通信,而不仅仅是头值。
b. DPI filtering is able to blockdomain names, malware, spam, or other identifiable elements in the payload of acommunication.
DPI过滤能够在通信有效载荷中阻止域名、恶意软件、垃圾邮件或其他可识别元素。
6. Next Gen Firewall: A next-gen firewall is a multifunction device (MFD)composed of several security features in addition to a firewall; integratedcomponents can include an IDS, an intrusion prevention system (IPS), a TLS/SSLproxy, web filtering, QoS management, bandwidth throttling, NATing, VPNanchoring, and antivirus.
下一代防火墙:下一代防火墙是一种多功能设备(MFD),除防火墙外,还包括多个安全功能;集成组件可以包括IDS、入侵预防系统(IPS)、TLS/SSL代理、web过滤、QoS管理、带宽流量控制、NAT、VPN和防病毒。
General Wireless Concepts: Wireless communications employ radio waves to transmit signalsover a distance.
一般无线概念:无线通信利用无线电波远距离传输信号。
Spread Spectrum: communication occurs over multiple frequencies at the sametime. A message is broken into pieces, and each piece is sent at the same timebut using a different frequency.
扩频:通信发生在多个频率在同一时间。一条消息被分成几部分,每一部分在同一时间用不同的频率发送。
Frequency Hopping Spread Spectrum – Sent in Series
Direct Sequence Spread Spectrum – Sent in Parallel
Orthogonal Frequency Division Multiplexing – Signals areperpendicular
域5:身份和访问管理
Identity Assurance Level: Identity Assurance Level (IAL) refers to the identity proofingprocess.
身份保证级别:身份保证级别(IAL)是指身份验证过程。
A category that conveys the degree of confidence that theapplicant’s claimed identity is their real identity.
表示申请人声称的身份是其真实身份的自信程度的类别。
IAL 1: If any are self-asserted or should be treated asself-asserted.
IAL1:如果有任何是自我断言或应被视为自我断言。
IAL 2: Either remote or in person identity proofing is required.It requires identity proofing to have been verified in person or remotely.
IAL 2:需要远程或亲自进行身份验证。它需要亲自或远程验证身份。
IAL 3: In person identity proofing is required. Identifyingattributes must be verified by the authorized Credential Service Provider (CSP)representative through examination of physical documentation.
IAL 3:需要本人身份证明。识别属性必须由授权凭证服务提供商(CSP)代表通过检查物理文档进行验证。
Smart Cards & Tokens: 智能卡和令牌
Smart Card: A credit-card sized ID/badge that has integratedcircuit chip embedded in it which is used for identification and/orauthentication. (Mostly used as Multi-Factor Authentication)
智能卡:一种信用卡大小的身份证/徽章,内置集成电路芯片,用于识别和/或认证。(主要用于多因素身份验证)
Tokens: A password generating device which users can carry withthem. This authentication method can be used along with other factor(password).
令牌:用户可以随身携带的密码生成设备。此身份验证方法可与其他因素(密码)一起使用。
1.Synchronous Password Tokens: Hardware tokens that createsynchronous dynamic passwords are time-based and synchronized with anauthentication server. They generate a new password periodically, such as every60 seconds.
同步密码令牌:创建同步动态密码的硬件令牌是基于时间的,并与身份验证服务器同步。它们定期生成一个新密码,例如每60秒生成一个新密码。
2.Asynchronous Password Tokens: Generates password based onalgorithm and an incrementing counter. it creates a dynamic onetime passwordthat stays the same until used for authentication.
异步密码令牌:根据算法和递增计数器生成密码。它创建一个动态的一次性密码,在用于身份验证之前该密码保持不变。
域6:安全评估及测试
Summaryof Protection Methods保护方法概述
a. Control physical access to systems控制对系统的物理访问
b. Control electronic access to files控制对文件的电子访问
c. Create strong password policy创建强密码策略
d. Hash and salt passwords哈希密码和salt密码
e. Use password masking使用密码屏蔽
f. Deploy multi-factor authentication部署多因素身份验证
g. Use account lockout controls使用帐户锁定控制
h. Use last logon notification使用上次登录通知
i. Educate users about security对用户进行安全教育
1.Passive Monitoring Analysis: It analyses actual network traffic sent to awebsite by cap turing it as it travels over the network or reaches the server.Real User Monitoring (RUM) is one of the variants.
被动监控分析:它分析通过网络传输或到达服务器时,捕获发送给网站的实际网络流量。真实用户监控(RUM)是其中一种变体。
2.Synthetic Monitoring (or active monitoring): performs artificial transactionsagainst a website to assess performance.
合成监控(或主动监控):针对网站执行人工交易以评估性能。
域7:安全运营
Implementing Preventive measures实施预防措施
• Keep systems and applicationsup-to date使系统和应用程序保持最新
• Remove or disable unneededservices and protocols删除或禁用不需要的服务和协议
• User intrusion detection andprevention systems用户入侵检测和预防系统
• Use up-to date anti malwaresoftware使用最新的反恶意软件
• Implement configuration andsystem management processes实施配置和系统管理流程
域8:软件开发安全
Core Values of Agile: 敏捷开发的核心价值:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
Machine Learning: Machinelearning techniques use analytic capabilities to develop knowledge fromdatasets without the direct application of human insight. The core approach ofmachine learning is to allow the computer to analyze and learn directly fromdata, developing and updating models of activity.
机器学习:机器学习技术使用分析能力从数据集中开发知识,而无需直接应用人类的洞察力。机器学习的核心是直接从计算机学习和更新数据的方法。
Zero DayAttack: Many forms of malicious code take advantage of zero-dayvulnerabilities, security flaws discovered by hackers that have not beenthoroughly addressed by the security community. Should include a strong patchmanagement program, current antivirus software, configuration management,application control, content filtering, and other protections.
零日攻击:许多形式的恶意代码利用零日漏洞,黑客发现的安全漏洞尚未得到安全社区的彻底解决。应该包括一个强大的补丁管理程序,当前的防病毒软件,配置管理,应用程序控制,内容过滤,和其他保护。
扫描下方二维码申请加入CISSP Learning交流群。
原文始发于微信公众号(CISSP Learning):CISSP快速复习指导手册第二版更新的部分内容
评论