CruSec

Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle Programming Concepts Machine Code is binary language built into a CPU. Just above that is assembly language, which are low level commands. Humans use source-code and convert it into machine code with compilers. Interpreters can translate each line of code into machine language on the fly while the program runs Bytecode is an intermediary form between source and

Domain 7: Security Operations 7.1 Understand and support investigations Forensics Digital Forensics – focuses on the recovery and investigation of material found in digital devices, often related to computer crime. Closely related to incident response as it is based on gathering and protecting evidence. Biggest difference is that it’s not what you know, it’s what you can prove in court. Evidence is much more valuable. International Organization of Computer Evidence’s 6 Princi

Domain 6: Security Assessment and Testing 6.1 Design and validate assessment, test and audit strategies Spans many areas: Policies/procedures and other admin controls Change management – primary goal is to ensure changes don’t reduce security pen tests Vulnerability assessments Security audits 6.2 Conduct security control testing Security Audits Formal, tested against a public standard or regulation such as PCI DSS Can be structured (done by 3rd parties to validate compliance

Domain 5: Identity and Access Management 5.1 Control physical and logical access to assets IAAA Five elements: Identification – claiming to be someone Authentication – proving you are that person Authorization – allows you to access resources Auditing – records a log of what you do Accounting – reviews log files to hold subjects accountable Non-repudiation – prevents entities from denying they took an action. This is accomplished by auditing and digital signatures 5.2 Manage

Domain 4: Communication and Network Security 4.1 Implement secure design principles in network architectures Communications and Network Security OSI Model – Please Do Not Teach Students Pointless Acronyms. Developed by ISO Encapsulation is when the payload has the headers and footers added as the message goes down layers. Decapsulation is the unwinding of the message as it travels back up. This means data has the most information at the physical layer Layer 1 – Physical – cab

Domain 3: Security Architecture and Engineering 3.1 Implement and manage engineering processes using secure design principles The Kernel is the heart of the operating system, which usually runs in Ring 0. It provides an interface between hardware and the rest of the OS. Models: Ring Model – separates users (untrusted) from the kernel (trusted). Hypervisor Mode – called Ring -1 (“minus 1”). Allows virtual guests to operate in ring 0. Open Systems are hardware and software that

Domain 2: Asset Security 2.1 Identify and classify information and assets Classifying Data Labels – objects have labels assigned to them. Examples include Top Secret, Secret, Unclassified etc, but are often much more granular. Sensitive data should be marked with a label. Clearance - assigned to subjects. Determination of a subject’s trustworthiness Declassification is required once data no longer warrants the protection of its sensitivity level Military Classifications: Top

Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability CIA Triad – Confidentiality – Resources are restricted from unauthorized subjects. Data must be protected in storage, process and transit. Unauthorized disclosure can result from human error. Integrity – Assures data has not been modified/tampered with Prevents unauthorized subjects from making modifications Prevent authorized subjects from making mistakes E

Maintained by the International Information System Security Certification Consortium (ISC2), the Certified Information Systems Security Professional certification is a highly sought after designation in the United States and beyond. The credential offers candidates the opportunity to prove extensive knowledge and experience in an array of fields related to cyber security. The course work takes a vendor-neutral approach as opposed to focusing on specific solutions, and instea