CISSP快速复习指导手册第二版更新的部分内容

admin 2024年5月8日21:23:49评论16 views字数 13764阅读45分52秒阅读模式

花了点时间,把快速手册第二版更新的内容翻译了一下。补充和新增了不少知识点。

CISSP快速复习指导手册第二版更新的部分内容

1:安全及风险管理

Process for Attack Simulation and Threat Analysis(PASTA)
攻击模拟和威胁分析流程(PASTA)
Stage I: Definition of the Objectives (DO) for the Analysis ofRisks
第一阶段:定义风险分析的目标(DO)
Stage II: Definition of the Technical Scope (DTS)
第二阶段:界定技术范围
Stage III: Application Decomposition and Analysis (ADA)
第三阶段:应用程序分解与分析(ADA)
Stage IV: Threat Analysis (TA)
第四阶段:威胁分析(TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
第五阶段:弱点和脆弱性分析(WVA)
Stage VI: Attack Modeling & Simulation (AMS)
第六阶段:攻击建模与仿真(AMS)
Stage VII: Risk Analysis & Management (RAM)
第七阶段:风险分析与管理(RAM)
Risk Management for Supply Chain
供应链风险管理
A supply chain is the concept that most computers, devices,networks, and systems are not built by a single entity.
供应链的概念是,大多数计算机、设备、网络和系统不是由单个实体建造的。

Onsite Assessment

现场评估

Document Exchange and Review

文件交换和审查

Process/Policy Review

过程/政策评估

Third Party Audit

第三方审计

• Personal Security policies and Procedures
•个人安全政策和程序
• Separation of Duties: Preventive control (protects againstcollusion)
职责分离:预防控制(防止串通)
• Job Responsibilities: Access granted based on Least Privilege
工作职责:根据最小权限授予访问权限
• Job Rotation: Detective Control (Protects against Fraud)
岗位轮换:侦探控制(防止欺诈)
• Candidate hiring and screening: Background check important
招聘和筛选候选人:背景调查很重要
• Employment agreement and policies: Signing NDA and NCA
雇佣协议和政策:签订NDA和NCA
• On-boarding and termination process: IAM and UER
入职和离职流程:IAM和UER
• Vendor, Consultant and Contractor Agreements and Controls:Contracts and SLA
供应商、顾问和承包商协议和控制:合同和SLA
• Compliance Policy Requirements: adhering to requirements(PCI-DSS)
合规政策要求:遵守要求(PCI-DSS)
• Privacy Policy requirement: Cannot monitor without consent
隐私政策要求:未经同意不得监控
Awareness, Training & Education
意识,培训和教育

• A prerequisite to security training is awareness. The goal ofcreating awareness is to bring security to the forefront and make it arecognized entity for users.

安全培训的先决条件是意识。创建意识的目标是将安全放在首位,并使其成为用户认可的实体。

• Training is teaching employees to perform their work tasks and tocomply with the security policy. Training is typically hosted by anorganization and is targeted to groups of employees with similar job functions.

培训是教员工完成他们的工作任务并遵守安全政策。培训通常是由一个组织主办的,目标群体是具有相似工作职能的员工。

• Education is a more detailed endeavor in which students/users learnmuch more than they actually need to know to perform their work tasks.(obtaining CISSP certification for promotion or better job)

教育是一个更详细的努力,学生/用户在其中学到的知识远远超过了他们完成工作任务所需要了解的知识。(获得CISSP认证以获得晋升或更好的职位)

2:资产安全

Identify andClassify Assets
识别和分类资产
1.Define Sensitive Data
         定义敏感数据
2.Defining Data and Asset classification
        定义数据和资产分类
3.Determine data security controls
         确定数据安全控制
4.Understand Data states
         理解数据状态
5.Handling Information and Assets
         处理信息和资产
6. Data Protection Methods
      数据保护方法
DefineSensitive Data
定义敏感数据
1.Personally Identifiable Information
        个人身份信息
2.Protected Health Information
         受保护的健康信息
3.Proprietary Data
         专有数据
Understanding Data States
理解数据状态
1. Datain Motion 运动中的数据

a.Protect using TLS 1.2, VPN etc.

使用TLS 1.2,VPN 等保护

2. Dataat Rest 静止的数据

a.Protect using AES 256, masking, tokenization etc.

使用AES 256,masking, tokenization等保护

3. Datain Use 使用中的数据

a.Isolation of memory location where sensitive data is being processed.

对正在处理敏感数据的内存位置进行隔离。

Pseudonymization: Pseudonymization refers to the process ofusing pseudonyms to represent other data. It can be done to prevent the datafrom directly identifying an entity, such as a person. (e.g. Agent 007 forJames Bond)
假名化:假名化是指使用假名来表示其他数据的过程。它可以防止数据直接识别一个实体,比如一个人。(例如007特工:詹姆斯·邦德)
Anonymization: Anonymization is the process of removing allrelevant data so that it is impos­sible to identify the original subject orperson.
匿名化:匿名化是移除所有相关数据的过程,这样就无法识别原始的主体或人。
Data Masking: Data masking is a method of creating astructurally similar but inauthentic ver­sion of an organization's data thatcan be used for purposes such as software testing and user training.
数据屏蔽:数据屏蔽是一种创建组织数据的结构相似但不真实版本的方法,可以用于软件测试和用户培训等目的。
Security Baselines: Minimum set of security requirements that isneeded for an organization to protect its assets.
安全基线:组织保护其资产所需的最小安全需求集。
Not all security controls would be relevant to us.
并不是所有的安全控制都与我们相关。
• Scoping: Scoping refers toreviewing a list of baseline security controls and se lecting only thosecontrols that apply to the IT system you’re trying to protect. E.g. if a systemdoesn’t allow any two people to log on to it at the same time, there’s no needto apply a concurrent session control.
范围:范围指的是检查一个基线安全控制列表,并只设置那些应用于您试图保护的IT系统的控制。例如,如果一个系统不允许任何两个人同时登录,就没有必要应用并发会话控制。
• Tailoring: Tailoring refers tomodifying the list of security controls within a base line so that they alignwith the mission of the organization. E.g. Controls are needed for main officebut not on remote locations so remote locations could have compensatingcontrols.
裁剪:裁剪是指在基线内修改安全控制列表,以便它们与组织的使命保持一致。例如,主站点需要控制,但偏远地点不需要,因此偏远地点可以采用补偿控制。
Summary of Data classification process:
数据分类过程总结:
• Criteria are set for classifyingdata
设置了数据分类的标准
• Data Owners are established foreach type of data.
为每种类型的数据建立数据所有者
• Data is classified.
数据是分类的
• Required controls are selectedfor each classification.
为每个分类选择所需的控制
• Baseline security standards areselected for the organization.
为组织选择基线安全标准。
• Controls are scoped and tailored.
控制范围和裁剪
• Controls are applied andenforced.
实施控制并执行。
• Access is granted and managed.
授权和管理访问

3:安全工程

Quantum cryptography is the science of exploiting quantum mechanical properties toper­form cryptographic tasks. The best-known example of quantum cryptography isquantum key distribution which offers an information-theoretically securesolution to the key exchange problem.
量子密码学是一门利用量子力学性质来完成密码任务的科学。量子密码最著名的例子是量子密钥分发,它为密钥交换问题提供了一种信息理论上安全的解决方案。
1.Quantum Key Distribution
           量子密钥分发
2.Uses Quantum Bits (Qbits)
           使用量子位
3. Prevents from Man in TheMiddle Attack. Photons change state even if observed.
    可以防止中间人攻击。即使被观察到,光子也会改变状态。
Protection Ring:Organize codeand components in an operating system (as well as applica­tions, utilities, orother code that runs under the operating system’s control) into concentricrings.
保护环:将操作系统中的代码和组件(以及应用程序、实用程序或在操作系统控制下运行的其他代码)组织成同心环。
Cloud Computing
云计算:
1. Virtualization 虚拟化
a.Type 1 Hypervisor - Directly interacts with hardware. More secure
类型1 Hypervisor——直接与硬件交互。更安全的
b.Type2 Hypervisor - Less secure as OS introduces larger attack surface area
类型2Hypervisor——由于操作系统引入了更大的攻击表面积,安全性较低
2.Elasticity  弹性
3.Resource Pooling 资源池
4. Cloud Storage 云存储
Cloud Deployment Model云部署模型
1. Public Cloud 公有云
2. Private Cloud 私有云
3. Hybrid Cloud 混合云
4.Community Cloud社区云
An industrial control system (ICS) is a form ofcomputer-management device that controls industrial processes and machinesincluding manufacturing, fabrication etc.
工业控制系统(ICS)是一种计算机管理设备,用于控制工业过程和机器,包括制造、制造等。
Forms of ICS:
形式的集成电路:
Distributed Control System (DCS): It’s for large scaleindustries. Controls are distributed.
分布式控制系统(DCS) :适用于大型工业。控制是分布式的。
Programmable Logic Control (PLC): Focused on computers. E.g.Used in systems are assemblyline.
可编程逻辑控制(PLC):集中于计算机。用于系统的是装配线。
Supervisory Control and Data Acquisition: It can operate as astand-alone device, be networked together with other SCADA systems.
监控和数据采集它可以作为一个独立的设备运行,与其他SCADA系统一起联网。
OWASP:
XSS (Persistent, Non-persistent,DOM based) {Input Validation}
XSS(持久的、非持久的、基于DOM的){输入验证}
SQL Injection {Input Validation,Limit Access Privileges, use stored procedures)
SQL注入{输入验证,限制访问权限,使用存储过程}
CSRF {Session authentication,terminate inactive sessions}
CSRF{会话身份验证,终止不活动的会话}}
XML Exploitation: Falsifyinformation being sent to a visitor.
XML利用:伪造发送给访问者的信息。
Broken Authentication:Vulnerabilities in authentication systems
身份验证漏洞:身份验证系统中的漏洞
Sensitive Data Exposure
敏感数据暴露
Broken Access Control
访问控制破坏
Security Misconfiguration
安全错误配置
Using Components with KnownVulnerabilities
使用已知漏洞的组件
Insufficient Logging and Monitoring
日志记录和监控不足
Embedded Devices: The Internet of Things (IoT) is anew subcategory or even a new class of smart devices that areInternet-connected in order to provide automation, remote control, or AIprocessing to traditional or new appliances or devices in a home or officesetting. The se­curity issues related to IoT are about access and encryption.Best Practice is to isolate the IoT devices from primary network. (Homeland Webseries has a great example of IoT breach.)
e.g. Robotic surgery, car sensors, Smart home appliances.
嵌入式设备:物联网(IoT)是一个新的子类别,甚至是一个新的智能设备类别,这些设备通过互联网连接,为家庭或办公室中的传统或新型电器或设备提供自动化、远程控制或人工智能处理。与物联网相关的安全问题是访问和加密。最佳实践是将物联网设备与主网络隔离。(《国土安全》网络剧就是一个很好的物联网破坏的例子。)
例如机器人手术、汽车传感器、智能家电。

4:通信与网络安全

Baseband vs Broadband基带和宽带
1.Baseband technology can supportonly a single communication channel. Baseband is a form of digital signal.Ethernet is a baseband technology.
基带技术只能支持单一的通信通道。基带是数字信号的一种形式。以太网是一种基带技术。
2. Broadband technology can support multiplesimultaneous signals. Broadband is a form of analog signal. Cable television andcable modems, ISDN, DSL, T1, and T3 are examples of broadband technologies.
宽带技术可以支持多个同步信号。宽带是模拟信号的一种形式。有线电视和有线调制解调器、ISDN、DSL、T1和T3都是宽带技术的例子。
Broadcast, multicast, and unicast technologies determinehow many destinations a single transmission can reach: 
广播、多播和单播技术决定了单个传输可以到达多少目的地:
1.Broadcast technology supportscommunications to all possible recipients.
       广播技术支持对所有可能的接受者进行通信。
2.Multicast technology supportscommunications to multiple specific recipients.
        多播技术支持对多个特定收件人的通信。
3. Unicast technology supports only a singlecommunication to a specific recipient.
      单播技术只支持对特定接收方的单一通信。
SNMPV3: Simple Management Network Protocol is a standard protocol usedto interact with various network devices to obtain status information,performance data, statistics, and configuration details.
SNMP V3:简单管理网络协议是一个标准协议,用于与各种网络设备交互,以获取状态信息、性能数据、统计信息和配置细节。
ICMP:Internet Control Message Protocol is used to determine the health of a networkor a specific link.
ICMP:Internet控制消息协议用于确定网络或特定链接的运行状况。
防护墙种类
5.     DeepPacket Inspect Firewall
深度包检查防火墙

a.      Deep packet inspection (DPI)firewalls is a filtering mechanism that operates typically at the applicationlayer in order to filter the payload contents of a communication rather thanonly on the header values.

深层封包检查(DPI)防火墙是一种过滤机制,通常在应用层操作,以过滤有效负载内容的通信,而不仅仅是头值。

b.      DPI filtering is able to blockdomain names, malware, spam, or other identifiable elements in the payload of acommunication.

DPI过滤能够在通信有效载荷中阻止域名、恶意软件、垃圾邮件或其他可识别元素。

6.      Next Gen Firewall: A next-gen firewall is a multifunction device (MFD)composed of several security features in addition to a firewall; integratedcomponents can include an IDS, an intrusion prevention system (IPS), a TLS/SSLproxy, web filtering, QoS management, bandwidth throttling, NATing, VPNanchoring, and antivirus.
下一代防火墙:下一代防火墙是一种多功能设备(MFD),除防火墙外,还包括多个安全功能;集成组件可以包括IDS、入侵预防系统(IPS)、TLS/SSL代理、web过滤、QoS管理、带宽流量控制、NAT、VPN和防病毒。
General Wireless Concepts: Wireless communications employ radio waves to transmit signalsover a distance.
一般无线概念:无线通信利用无线电波远距离传输信号。
Spread Spectrum: communication occurs over multiple frequencies at the sametime. A message is broken into pieces, and each piece is sent at the same timebut using a different frequency.
扩频:通信发生在多个频率在同一时间。一条消息被分成几部分,每一部分在同一时间用不同的频率发送。
Frequency Hopping Spread Spectrum – Sent in Series
跳频扩频–串联发送
Direct Sequence Spread Spectrum – Sent in Parallel
直接序列扩频–并行发送
Orthogonal Frequency Division Multiplexing – Signals areperpendicular
正交频分复用–信号是垂直的

5:身份和访问管理

Identity Assurance Level: Identity Assurance Level (IAL) refers to the identity proofingprocess.
身份保证级别:身份保证级别(IAL)是指身份验证过程。
A category that conveys the degree of confidence that theapplicant’s claimed identity is their real identity.
表示申请人声称的身份是其真实身份的自信程度的类别。
IAL 1: If any are self-asserted or should be treated asself-asserted.
IAL1:如果有任何是自我断言或应被视为自我断言。
IAL 2: Either remote or in person identity proofing is required.It requires identity proofing to have been verified in person or remotely.
IAL 2:需要远程或亲自进行身份验证。它需要亲自或远程验证身份。
IAL 3: In person identity proofing is required. Identifyingattributes must be verified by the authorized Credential Service Provider (CSP)representative through examination of physical documentation.
IAL 3:需要本人身份证明。识别属性必须由授权凭证服务提供商(CSP)代表通过检查物理文档进行验证。
Smart Cards & Tokens: 智能卡和令牌
Smart Card: A credit-card sized ID/badge that has integratedcircuit chip embedded in it which is used for identification and/orauthentication. (Mostly used as Multi-Factor Authentication)
智能卡:一种信用卡大小的身份证/徽章,内置集成电路芯片,用于识别和/或认证。(主要用于多因素身份验证)
Tokens: A password generating device which users can carry withthem. This authentication method can be used along with other factor(password).
令牌:用户可以随身携带的密码生成设备。此身份验证方法可与其他因素(密码)一起使用。
1.Synchronous Password Tokens: Hardware tokens that createsynchronous dynamic passwords are time-based and synchronized with anauthentication server. They generate a new password periodically, such as every60 seconds.
同步密码令牌:创建同步动态密码的硬件令牌是基于时间的,并与身份验证服务器同步。它们定期生成一个新密码,例如每60秒生成一个新密码。
2.Asynchronous Password Tokens: Generates password based onalgorithm and an incrementing counter. it creates a dynamic onetime passwordthat stays the same until used for authentication.
异步密码令牌:根据算法和递增计数器生成密码。它创建一个动态的一次性密码,在用于身份验证之前该密码保持不变。

6:安全评估及测试

Summaryof Protection Methods保护方法概述
a. Control physical access to systems控制对系统的物理访问
b. Control electronic access to files控制对文件的电子访问
c. Create strong password policy创建强密码策略
d. Hash and salt passwords哈希密码和salt密码
e. Use password masking使用密码屏蔽
f. Deploy multi-factor authentication部署多因素身份验证
g. Use account lockout controls使用帐户锁定控制
h. Use last logon notification使用上次登录通知
i. Educate users about security对用户进行安全教育
Website Monitoring: 网站监控
1.Passive Monitoring Analysis: It analyses actual network traffic sent to awebsite by cap turing it as it travels over the network or reaches the server.Real User Monitoring (RUM) is one of the variants.
被动监控分析:它分析通过网络传输或到达服务器时,捕获发送给网站的实际网络流量。真实用户监控(RUM)是其中一种变体。
2.Synthetic Monitoring (or active monitoring): performs artificial transactionsagainst a website to assess performance.
合成监控(或主动监控):针对网站执行人工交易以评估性能。

7:安全运营

Implementing Preventive measures实施预防措施
• Keep systems and applicationsup-to date使系统和应用程序保持最新
• Remove or disable unneededservices and protocols删除或禁用不需要的服务和协议
• User intrusion detection andprevention systems用户入侵检测和预防系统
• Use up-to date anti malwaresoftware使用最新的反恶意软件
• Use Firewalls使用防火墙
• Implement configuration andsystem management processes实施配置和系统管理流程

8:软件开发安全

Core Values of Agile: 敏捷开发的核心价值:
Individuals and interactions over processes and tools
个人和交互胜过过程和工具
Working software over comprehensive documentation
工作软件优于综合文档
Customer collaboration over contract negotiation
客户合作胜过合同谈判
Responding to change over following a plan
响应变化胜过遵循计划
Machine Learning: Machinelearning techniques use analytic capabilities to develop knowl­edge fromdatasets without the direct application of human insight. The core approach ofmachine learning is to allow the computer to analyze and learn directly fromdata, developing and updating models of activity.
机器学习:机器学习技术使用分析能力从数据集中开发知识,而无需直接应用人类的洞察力。机器学习的核心是直接从计算机学习和更新数据的方法。
Zero DayAttack: Many forms of malicious code take advantage of zero-dayvulnerabilities, security flaws discovered by hackers that have not beenthoroughly addressed by the security community. Should include a strong patchmanagement program, current antivirus software, configuration management,application control, content filtering, and other protections.
零日攻击:许多形式的恶意代码利用零日漏洞,黑客发现的安全漏洞尚未得到安全社区的彻底解决。应该包括一个强大的补丁管理程序,当前的防病毒软件,配置管理,应用程序控制,内容过滤,和其他保护。
CISSP快速复习指导手册第二版更新的部分内容
扫描下方二维码申请加入CISSP Learning交流群。
CISSP快速复习指导手册第二版更新的部分内容
CISSP快速复习指导手册第二版更新的部分内容

原文始发于微信公众号(CISSP Learning):CISSP快速复习指导手册第二版更新的部分内容

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月8日21:23:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CISSP快速复习指导手册第二版更新的部分内容https://cn-sec.com/archives/2491378.html

发表评论

匿名网友 填写信息