Monday, October 30, 2017

Awesome Neil Anderson Cisco CCNA Lab Guide

I was honored to be approached earlier today by Mr. Neil Anderson fellow CCIE :-) that have his very cool and highly popular site www.flackbox.com, Neil have done some grate work building a new elaborate and ready to use CCNA Lab guide that I am more then happy to share his link over my blog: http://www.flackbox.com/cisco-ccna-lab-guide

I have taken a quick look and it for the CCNA Candidate it would be a grate guide to get to know his way around the Cisco Networking Practical work, in addition Neil have made it for you all that easy by keeping it all within the Virtual environment of GNS3 so you would not have to lift your ass of the seat even (Like I did back in the days ~20y ago) 

So for all the CCNA to be (and I would add to the once that are as well) highly recommended


Good Luck

Thursday, October 19, 2017

Domain 1 Security and Risk Management - Part 1

First Domain of the CISSP hold 12 Sections and discuss aspects of Risk Management Concepts, Tools, Laws, Standards, around People Process and Technology.  here are some short highlights from my notes:

Understand and apply concepts of confidentiality, integrity, and availability 

CIA (Confidentiality / Integrity / Availability ) if I would to say them in my own words I would say that  Confidentiality is the way to assure asset is kept secret from any unauthorized system and / or person. 
  • How To Protect: most common is the use of encryption taking data and encrypting is done by multiple different techniques.
Integrity is the assurance that asset you have was not handled in any way shape or form by an unauthorized system and / or person.
  • How To Protect: That is more complex however can be done by introducing multiple mechanisms like together refereed to as the AAA (Triple AAA from networking or 5 A from ISC2 world) Identification Authentication Authorization Audit Accounting 
Availability making sure asset is obtainable (I had to look for other word :-)) when needed
  • How To Protect: In a high level that is by assuring service / asset health and stability 

Now often the CIA is refereed to as CIA triad 


Note: the word asset was mentioned multiple times to assure we get use to the terminology.
Asset: can be "data / person / company / resource / service..." or anything you can put a value to it and is worth protecting.
Google Definition: a useful or valuable thing, person, or quality.

What is AAA in the CISSP world?

Identification - Process of providing Identity available to the next stage of authentication in the world I am from Identification and Authentication are part of the same process as without one the other can't exist however for the sake of CISSP lets keep open mind.
Authentication - Once you received the Identifier we need to be able to authenticate and make sure that this is indeed the account and there are different authentication methods like password, pin code, bio (finger print)...
Authorization - After we have passed Authentication then we need to be able to provide limit access to resources according to our job requirement providing to much may impact confidentiality and integrity and providing to little may impact availability  
Audit - auditing is a very important function and again from my networking world it was part of accounting, the audit function is to provide monitoring and ability to go back and look who did what and when, very important part in troubleshooting and fundamental part of ability to be able  prove non-repudiation  
Accounting - The ability to prove a subject identity and track his activities if needed to later be presented in court of law.

Alignment of security function to business strategy, goals, mission, and objectives  

First maybe lets define what is Governance - according to google dictionary it is the action of governing, meaning ?! if you own a company or if you are one of the C-level function in a company it would be expected of you to govern and lead the company in the path to success, and part of it would be taking responsibility to providing company policies, goals, mission statements.





Elements to remember with related to Governance:
  1. Corporate Executive Must be committed to the Security Plan - Due Care!
  2. Corporate Executive are to define the mission statement and company policy.
  3. CISO / CSO should not be subject to company politics and avoid and possible conflict of interest
  4. Company Executive have the responsibility highest responsibility to the company security and in case they where care less they also may be subject to personal legal actions against them.
  5. Security Plan is subject to Due Diligence, always be responsive to the needed changes

Organizational processes 

Like with life when you get to a cross road there is higher risk as a cross road increase complexity and evolve cars moving on the same road in different directions, introducing proper mechanism like rules signs, light.. will reduce the risk, same is with Organizational Changes when purchasing new company / systems or god forbid when laying of personal the Organization need to be ready to face the implications

  • make sure there is a well elaborated and sorted plan
  • make sure all personal and / or systems are informed and ready for the change
  • prepare a backup / restoration / rollback (you name it) plan
  • make sure you have a way to monitor and measure the change and identify and negative impact

Organizational roles and responsibilities 

Roles and responsibilities are highly important, to do your job well especially in large organization you need to know what are your duties what is expected from you and how can you assist to the goals of your organization.

Key Roles To Know and remember:

Data Owner - as the name suggest it is the data highest authority for making sure data security is in order and normally will be senior manager, the Data owner is responsible for classifying also the data security level.

Data Custodian - this is  for whom that is being given the task of practically making sure data security is addressed as classified and according to the guidelines, normally would be IT / IS.

Auditor - is responsible for the monitor and making sure security policy's are being followed implemented and issue periodic reporting to be review by senior management. in case auditor discover and report issues the senior management must address.

Senior Manager- have the top responsibility and liability for organization security however the implementation of security is a function that is delegated to Security professionals

User - Any user in the organization have his role in keeping the corporate security policy by following the provided policies and procedures.

Due Care/Due Diligence

Due Care

It is the action of "caring" about the possible of system / person other might do harm to an asset!
  •  Data Owner (normally Organization Executive) is obligated to Due Care
Law: the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence. This is one of those nebulous standards by which negligence is tested. Each juror has to determine what a "reasonable" man or woman would do.  reference 

Due Diligence

It is an action performed in iterative and repeatable manner with steps taken for verifying / monitoring and applying actions in order to preserve company policy and standards.
  • Data Owner is obligated to make sure a due diligence is conducted on normal basis 
  • Data Custodian are normally performing the due diligence in practice.
Google Translate: reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.


To be continue...

Saturday, October 14, 2017

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)

Lets start with the obvious change:

CISSP - Before Apr 2018 CISSP - from Apr 2018
1. Security and Risk Management 16% 15%
2. Asset Security 10% 10%
3. Security Engineering 12% 13%
4. Communications and Network Security 12% 14%
5. Identity and Access Management 13% 13%
6. Security Assessment and Testing 11% 12%
7. Security Operations 16% 13%
8. Software Development Security 10% 10%

So as you can see from the table above there are not mind blowing ground up changes , we are still in 8 Domain format, there are small variations in the ratio between the domains and since we have 250 Questions still questions have the same wight 1% eq 2.5 questions so if you look at that this way and take an example Domain 1 was reduced in 2 - 3 questions for the favor of Domain 3 that Ratio was increased by 1%. I would see that as a very minor diff.

Now if you look into each Domain in more details then

Domain 1 Security and Risk Management - originally with 12 Sections and still is with 12 Sections however 
  • Section 1.2 was reduced to 5 sub areas from 6 by merging Due Care and Due Diligence into one section, does it mean we need to know less about them ?! I think not
  • Section 1.4 Similarly Computer Crime (The law Term) was changed to Cyber Crime and was merged with Data Breachs
  • Section 1.9 Again 12 sub areas where trimmed by merging content to 11 sections
Domain 2 Asset Security - Seem to be unchanged for the most part small change to Section 2.5.4 instead of cryptography it was modified to Data protection methods I would think it is a more global look of what is available to Data protection other then the focus on Crypto

Domain 3 Security Engineering 
  • Section 3.5 was appended with IOT, I would say kind of expected change with all the buzz around it (no offense intended).
  • Section 3.11.7 Water Issues was modified to Environment Issues, as well seem to be kind of obvious to change as focus only on Water hazards kind of ...
Domain 4 Communication and Network Security 
  • Section 4.1.7 Cryptography used to maintain communication security - removed
  • Section 4.2.6 Physical devices - removed
  • Section 4.4 Prevent and Mitigate network Attack was removed
Domain 5 IAM 
  • Section 5.3 as was was removed and new 5.3 is equivalent to Old Section 5.4 and in addition it seem to be segmented to 3 sub areas Cloud, On-Premise and Federated.
  • Section 5.6 Prevent and Mitigate access control - removed
  • Section 5.7 Manage the Identity - removed
Domain 6 Security Assessment and Testing
  • Section 6.1 was extended with 3 sub areas of Internal , External Third Party
  • Section 6.5 was getting the same workout Section 6.1 received  
Domain 7 Security Operations
  • Section 7.16 Address personnel safety and security concerns was extended and received 4 sub areas Travel , Security training and awareness, Emergency management , Duress

Domain 8 Software Development Security 
  • Section 8.2 was trimmed from 5 sub areas to 3
    • Security weaknesses and vulnerabilities at the source-code level - removed
    • Security or API -removed
  • Section 8.3 Acceptance testing - removed
  • New Section 8.5 Define and apply secure coding guidelines and standards with 3 sub areas
    • Security weaknesses and vulnerabilities at the source-code level
    • Security of application programming interfaces
    • Secure coding practices

So overall if looking on the changes there are not fundamental but I think they are the necessary to be made if looking into the industry, so good luck to me and who ever is going to take the challenge :-)

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate: relating to, meas...