#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2024
Class #3 – Domain 7
Brad Nigh
FRSecure – Consulting Strategist

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 0
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

FRSECURE CISSP MENTOR PROGRAM LIVE

STREAM THANK YOU!
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
• Do not copy or share copy of copyrighted materials.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
CISSP® MENTOR PROGRAM – SESSION THREE

DAD JOKE TIME

What do you call a boomerang that

won’t come back?
A stick.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 2
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Communication and Network
Security (pp. 463 - Kindle)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 3
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Communication and Network
Security (pp. 463 - Kindle)

Only 15 sections to cover in this most

excellent domain…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 4
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

FRSECURE CISSP MENTOR PROGRAM LIVE

STREAM
THANK YOU!
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
• DO NOT share or post copywritten materials. (pdf of book)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 5
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

GETTING GOING…
Managing Risk!

Studythrough
We’re Tips: Chapters 1, 2, 3, and part way into Chapter
4!• Study in small amounts frequently (20-30 min)
••Check-in.
Flash card and practice test apps help
••How many
Take napshave read
after Chapter
heavy 1, 2(aka
topics & 3?Security Models)
Write things down, say them out loud
••Questions?
• Use the Slack Channels
• Exercise or get fresh air in between study sessions

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 6
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

GETTING GOING…
Managing Risk!

Studythrough
We’re Tips: Chapters 1, 2, 3, and part way into Chapter
4!• Study in small amounts frequently (20-30 min)
••Check-in.
Flash card and practice test apps help
••How many
Take napshave read
after Chapter
heavy 1, 2(aka
topics & 3?Security Models)
Write things down, say them out loud
••Questions?
• Use the Slack Channels
• Exercise or get fresh air in between study sessions

Stick with it. You’ll be glad you did. I promise.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 7
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Security Operations (pp. 463 -
Kindle)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 8
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS. 2
1
8
3
6
5
4
0
7
10
9
How about some practice ones?
1. Which of the following are mandatory?
a. Guidelines
b. Baselines
c. Procedures
d. Best Practice

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 9
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
How about some practice ones?
1. Which of the following are mandatory?
a. Guidelines
b. Baselines

c. Procedures
d. Best Practice

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 10
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS. 2
1
8
3
6
5
4
0
7
10
9
How about some practice ones?
2. What is the most important thing to consider
when developing a Business Continuity Plan?
a. RPO
b. FML
c. Continuity of Operations
d. People

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 11
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
How about some practice ones?
2. What is the most important thing to consider
when developing a Business Continuity Plan?
a. RPO
b. FML
c. Continuity of Operations

d. People

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 12
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS. 2
1
8
3
6
5
4
0
7
10
9
How about some practice ones?
3. What is the definition of a threat?
a. Weakness or gap in a system that may be exploited
b. Negative event leading to a negative outcome.
c. Anything of value
d. A set of guidelines and processes created to help
organizations in a data breach scenario

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 13
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
How about some practice ones?
3. What is the definition of a threat?
a. Weakness or gap in a system that may be exploited

b. Negative event leading to a negative

outcome.
c. Anything of value
d. A set of guidelines and processes created to help
organizations in a data breach scenario

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 14
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS. 2
1
8
3
6
5
4
0
7
10
9
How about some practice ones?
4. Which of the following best represents a
Preventative control?
a. IDS
b. Internal Audit
c. Cameras
d. Firewall

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 15
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
How about some practice ones?

4. Which of the following best represents a

Preventative control?
a. IDS
b. Internal Audit
c. Cameras

d. Firewall

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 16
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS. 2
1
8
3
6
5
4
0
7
10
9
How about some practice ones?
5. What should a Risk Management program be?
a. The Zachman Framework
b. Consistent, Measurable, Standardized, Comprehensive,
Modular
c. Consistent, Measurable, Standardized, Comprehensive,
Flexible
d. Integrating Security and Privacy into the SDLC

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 17
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

QUESTIONS.
How about some practice ones?

5. What should a Risk Management program be?

a. The Zachman Framework

b. Consistent, Measurable, Standardized,

Comprehensive, Modular
c. Consistent, Measurable, Standardized, Comprehensive,
Flexible
d. Integrating Security and Privacy into the SDLC

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 18
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Security Operations (pp. 463 -
Kindle)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 19
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Security Operations (pp. 463 -
Kindle)

Now this…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 20
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 - Kindle)
• 7.1 - Understand and comply with investigations
• 7.2 - Conduct logging and monitoring activities
• 7.2.3 Security orchestration, automation and response (SOAR) {previously domain 8}
• 7.2.4 Continuous monitoring and tuning {change}
• 7.3 - Perform Configuration Management (CM) (e.g., provisioning, baselining,
automation)
• 7.4 - Apply foundational security operations concepts
• 7.5 - Apply resource protection
• 7.6 - Conduct incident management
• 7.7 - Operate and maintain detective and preventative measures
• 7.8 - Implement and support patch and vulnerability management
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 21
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 -
Kindle)
• 7.9 - Understand and participate in change management processes
• 7.10 - Implement recovery strategies
• 7.11 - Implement Disaster Recovery (DR) processes
• 7.12 - Test Disaster Recovery Plans (DRP)
• 7.13 - Participate in Business Continuity (BC) planning and exercises
• 7.14 - Implement and manage physical security
• 7.15 - Address personnel safety and security concern

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 22
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 -
Kindle)
• 7.9 - Understand and participate in change management processes
• 7.10 - Implement recovery strategies
• 7.11 - Implement Disaster Recovery (DR) processes
• 7.12 - Test Disaster Recovery Plans (DRP)
• 7.13 - Participate in Business Continuity (BC) planning and exercises
• 7.14 - Implement and manage physical security
• 7.15 - Address personnel safety and security concern

Alright, piece of cake.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 23
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 -
Kindle)
7.9 - Understand and participate in change management processes
•
• Hold up a second
7.10 - Implement recovery strategies
• 7.11 - Implement Disaster Recovery (DR) processes
• though…
7.12 - Test Disaster Recovery Plans (DRP)
• 7.13 - Participate in Business Continuity (BC) planning and exercises
• 7.14 - Implement and manage physical security
• 7.15 - Address personnel safety and security concern

Alright, piece of cake.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 24
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DAD JOKE…
If you don’t like it, it’s Evan’s fault!

Why do you never see elephants hiding in

trees?

Because they’re so good at it.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 25
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Introduction
Security operations is about day-to-day operations
and maintenance of the information security
program.
• Also known as “SecOps”.
• If information security is “risk management”,
SecOps is continual risk management.
• Take all the things you’ve learned so far and
operationalize them.
• …and a little more.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 26
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Topics include:
• Evidence collection and handling
• Reporting and documentation
• Investigative techniques
• Digital forensics tools, tactics, and procedures
• Artifacts (e.g., computer, network, mobile device)

It’s important to get this right. A CISSP isn’t expected to

be a DFIR expert, but they must know the basics.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
• Evidence supports something an assertion or proposition.
• The better the evidence, the better the support.
• There are four types evidence by which facts can be proven
or disproven at trial which include:
• Real evidence;
• Demonstrative evidence;
• Documentary evidence; and
• Testimonial evidence.
https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 28
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Real evidence
• often called physical evidence: material items involved in
a case, objects and things a jury can physically hold and
inspect. Examples of real evidence include fingerprints, blood
samples, DNA, a knife, a gun, and other physical objects.
• Usually admitted because it tends to prove or disprove an
issue of fact in a trial.
• In order to be used at trial, real evidence must be
relevant, material, and authentic. MUST establish the
item's chain of custody.

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 29
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Demonstrative Evidence
• Usually charts and diagrams, to demonstrate or illustrate
the testimony of a witness.
• It's admissible when it fairly and accurately reflects the
witness's testimony and is more probative than
prejudicial. Maps, diagrams of a crime scene, charts and
graphs that illustrate physical or financial injury to a
plaintiff are examples of demonstrative evidence.
• Witnesses create and use demonstrative evidence at trial
and opposing counsel may use the same evidence to
prove contrary positions.
https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 30
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Documentary Evidence
• The production of documents at trial is documentary
evidence.
• Presented to prove or disprove certain allegations at trial.
• Documents can be from a vast number of sources from
diaries, letters, contracts, newspapers, and any other type
of document that you can think of.
• There are restrictions and qualifications for using
documents at trial as there is a need to make sure they
are authentic and trustworthy.
https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Testimonial Evidence]
When a person gets up on the stand at trial and relates
something that they saw or heard, that is testimonial
evidence. It is simply a witness giving testimony under oath
about the facts of the case.

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 32
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Testimonial Evidence]
When a person gets up on the stand at trial and relates
something that they saw or heard, that is testimonial
evidence. It is simply a witness giving testimony under oath
about the facts of the case.

OK, back to our regularly scheduled programming…

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 33
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Collecting Digital Evidence
• The integrity of the evidence is CRITICAL!
• Rule of Thumb – IF YOU’RE GOING TO FAST TO DOCUMENT
EVERYTHING, THEN YOU’RE GOING TO FAST.
• Document dates, times, physical locations, logical locations,
all actions that were taken, observations, etc. TIP: Take
pictures too.
• NEVER tamper with original versions of anything. ALWAYS
make write-block, make bit-level copies, and investigate on
the copies. TIP: Make two copies and store the original
safely.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 34
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Collecting Digital Evidence
• The integrity of the evidence is CRITICAL!
• Rule of Thumb – IF YOU’RE GOING TO FAST TO DOCUMENT
EVERYTHING, THEN YOU’RE GOING TO FAST.
• Document dates, times, physical locations, logical locations,
all actions that were taken, observations, etc. TIP: Take
pictures too.
• NEVER tamper with original versions of anything. ALWAYS
make write-block, make bit-level copies, and investigate on
the copies. TIP: Make two copies and store the original
I prefer
safely. hardware write-blockers.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 35
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Handling Digital Evidence
• Did I mention integrity?!
• Every second must be accounted for from the second you
encounter evidence until you no longer have any contact
with the evidence.
• Chain of Custody must be maintained.
• A well-known standard: ISO/IEC 27037:2012, “Information
technology – Security techniques – Guidelines for
identification, collection, acquisition and preservation of
digital evidence”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 36
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Handling Digital Evidence
• Did I mention integrity?!
• Every second must be accounted for from the second you
encounter evidence until you no longer have any contact
with the evidence.
• Chain of Custody must be maintained.
• A well-known standard: ISO/IEC 27037:2012, “Information
technology – Security techniques – Guidelines for
identification, collection, acquisition and preservation of
digital evidence”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 37
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Handling Digital Evidence
• Did I mention integrity?!
• Every second must be accounted for from the second you
encounter evidence until you no longer have anyHere’s
contact another
with the evidence.
• Chain of Custody must be maintained.
good resource.
https://nvlpubs.nist.gov/ni
• A well-known standard: ISO/IEC 27037:2012, “Information
stpubs/Legacy/SP/nistspeci
technology – Security techniques – Guidelines foralpublication800-86.pdf
identification, collection, acquisition and preservation of
digital evidence”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 38
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
• Again, document EVERYTHING.
• As much as possible, avoid
subjective interpretations and space
for subjective interpretations.
• As much as possible, ensure
evidence is admissible (even if
you’re not sure that your evidence
will be presented in court).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 39
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
Admissibility of Evidence:
• Accuracy – lacking errors.
• Authenticity - undisputed origin.
• Comprehensibility – paint as much of the picture as
possible.
• Convincing – certainty in conclusions.
• Objective – what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 40
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
Admissibility of Evidence:
• Accuracy – lacking errors.
Seek advice from legal counsel, law
• Authenticity - undisputed origin.
enforcement, or other investigative
• Comprehensibility – paint as much of the picture as
possible. professionals to ensure evidence you
• Convincingcollect,
– certaintyhandle, and prepare is
in conclusions.
• Objective – adequate
what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 41
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
https://www.law.cornell.edu/wex/admissible_evidence
Admissibility of Evidence:
• Accuracy – lacking errors.
Seek advice from legal counsel, law
• Authenticity - undisputed origin.
enforcement, or other investigative
• Comprehensibility – paint as much of the picture as
possible. professionals to ensure evidence you
• Convincingcollect,
– certaintyhandle, and prepare is
in conclusions.
• Objective – adequate
what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 42
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
https://www.law.cornell.edu/wex/admissible_evidence
Admissibility of Evidence:
• Accuracy – lacking errors.
Seek advice from legal counsel, law
• Authenticity - undisputed origin.https://www.law.cornell.edu/rules/fre/rule_802
enforcement, or other investigative
• Comprehensibility – paint as much of the picture as
possible. professionals to ensure evidence you
• Convincingcollect,
– certaintyhandle, and prepare is
in conclusions.
• Objective – adequate
what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 43
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Investigative Techniques
Four main techniques
• Data capture – manual and automatic capture.
• Interviews – ideally from someone who was a witness to an
incident or a person with first-hand knowledge of the
incident.
• Interrogations – usually done by law enforcement following
stringent rules.
• External requests – usually warrants and subpoenas.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 44
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Investigative Techniques
Four main techniques
• Data capture – manual and automatic capture.
Let the
• Interviews evidence
– ideally from draw your
someone conclusions.
who If to an
was a witness
incident
theor a person isn’t
evidence with first-hand
availableknowledge of the
(coming later),
incident.
you may not be able to draw conclusions.
• Interrogations – usually done by law enforcement following
stringent rules.
When in question, leave it to the experts.
• External requests – usually warrants and subpoenas.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 45
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 46
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Forensics investigators (the
good ones) have a
“jumpbag” with their tools
ready to use.

https://www.linkedin.com/pulse/cyber-security-incident-handl
ers-jump-bag-jean-francois-stenuit/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 47
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Write blockers and drive imagers
designed to allow examination or imaging of a storage device,
typically a hard drive, without writing any data to the storage
device, which would violate the integrity of the evidence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 48
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Write blockers and drive imagers designed to allow
examination or imaging of a storage device, typically a hard
drive, without writing any data to the storage device, which
would violate the integrity of the evidence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 49
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 50
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 51
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 52
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 53
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Video and audio recording tools
I’ve heard it in court before, “video doesn’t lie”. Might be sorta
true, but video and audio can be very compelling. Can save a
lot of time during an investigation too.

In general, Secure the physical ”crime

scene” first.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 54
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
• Network traffic analysis tools - Wireshark (and similar) for pcap and
analysis.
• Log analysis tools - SIEM (and similar) to reconstruct events across
systems and for context.
• Data recovery tools – file recovery for things deleted or overwritten
• Virtual machines – useful for rebuilding (isolated) environments.
• Code analysis tools - decompilers and reverse-engineer software.
• Hashing tools – integrity verification.
• Toolkits – software suite specifically designed for forensic investigations.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 55
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
• Network traffic analysis tools - Wireshark (and similar) for pcap and
analysis.
• Log analysis tools - SIEM (and similar) to reconstruct events across
systems and for context.
• Data recovery tools – file recovery for things deleted or overwritten
• Virtual machines – useful for rebuilding (isolated) environments.
• Code analysis tools - decompilers and reverse-engineer software.
• Hashing tools – integrity verification.
• Toolkits – software suite specifically designed for forensic investigations.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 56
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
• Network traffic analysis tools - Wireshark (and similar) for pcap and
analysis.
• Log analysis tools - SIEM (and similar) to reconstruct events across
systems and for context.
• Data recovery tools – file recovery for things deleted or overwritten
• Virtual machines – useful for rebuilding (isolated) environments.
• Code analysis tools - decompilers and reverse-engineer software.
• Hashing tools – integrity verification.
• Toolkits – software suite specifically designed for forensic investigations.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 57
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures
• Digital forensics is a specialized skill.
• Strict procedures should be prepared ahead of time and followed for
conducting a forensic investigation.
• Either part of an incident response (IR) plan or a supplement to an IR
plan.
• Documented standards for the collection, handling, and investigation of
digital evidence include ISO 27041, 27042, 27043, and 27050
• SANS - https://www.sans.org/posters/?focus-area=digital-forensics

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 58
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures
• Digital forensics is a specialized skill.
• Strict procedures should be prepared ahead of time and followed for
conducting a forensic investigation.
• Either part of an incident response (IR) plan or a supplement to an IR
plan.
• Documented standards for the collection, handling, and investigation of
digital evidence include ISO 27041, 27042, 27043, and 27050
• SANS - https://www.sans.org/posters/?focus-area=digital-forensics

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 59
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures
• Digital forensics is a specialized skill.
• Strict procedures should be prepared ahead of time and followed for
conducting a forensic investigation.
• Either part of an incident response (IR) plan or a supplement to an IR
plan.
• Documented standards for the collection, handling, and investigation of
digital evidence include ISO 27041, 27042, 27043, and 27050
• SANS - https://www.sans.org/posters/?focus-area=digital-forensics
• NIST Computer Forensics Tool Testing Program (CFTT) site:
nist.gov/itl/ssd/software-
quality-group/computer-forensics-tool-testing-program-cftt

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 60
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures
• Digital forensics is a specialized skill.
• Strict procedures should be prepared ahead of time and followed for
conducting a forensic investigation.
• Either part of an incident response (IR) plan or a supplement to an IR
plan.
• Documented standards for the collection, handling, and investigation of
digital evidence include ISO 27041, 27042, 27043, and 27050
• SANS - https://www.sans.org/posters/?focus-area=digital-forensics
• NIST Computer Forensics Tool Testing Program (CFTT) site:
nist.gov/itl/ssd/software-
quality-group/computer-forensics-tool-testing-program-cftt

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 61
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures (generic procedure steps in book)
1. Define priorities
2. Identify data sources
3. Plan to collect data and execute
4. Document and preserve integrity
5. Look for hidden or erased data
6. Perform analysis

In reality, you are performing analysis continually (so this is not

serial). ALWAYS let the evidence (and logic) lead the
investigation. Do NOT make assumptions whenever possible.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 62
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Cloud-Specific

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 63
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Cloud-Specific

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 64
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 65
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts

Locard’s Principle

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 66
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Computers (Sources)
Windows Specifics matter.
Logs (Event Viewer and others), Recycle Bin, Registry, etc.
Apple macOS
Logs (Console and others), Trash, Time Machine, property list
(PLIST) files.
Linux
/usr folder, /tmp (volatile temporary files), /var (caches, log files,
and information about currently running processes).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 67
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Computers (Sources)
Browsers Specifics matter.
Cache, history, cookies, etc.
Local Storage
File remnants, deleted files, file movement, etc.
Cloud Storage
Not unlike local storage, but investigators typically don’t have
the same level of access; therefore, requests are made
informally and/or formally of cloud providers.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 68
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Network (Sources)
NetFlow Specifics matter.
Collect IP network traffic as it enters or exits interfaces. A
network administrator can determine the source and
destination of traffic, class of service, data types, etc.
Packet analysis (pcap)
Captures details about communications and the data itself.
Known bad traffic (block list)
C2 traffic, known malicious sites, etc. This one is big for IoCs.
Network device log files
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 69
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Network (Sources)
NetFlow Specifics matter.
Collect IP network traffic as it enters or exits interfaces. A
network administrator can determine the source and
destination of traffic, class of service, data types, etc.
Packet analysis (pcap)
Captures details about communications and the data itself.
Known bad traffic (block list)
C2 traffic, known malicious sites, etc. This one is big for IoCs.
Network device log files
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 70
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Mobile Devices (Sources)
• Apple's iOS and Google's Android (mostly)
• Mobile device encryption is a significant
challenge.
• Cellular, WiFi, Bluetooth, and NFC are
unique forensic opportunities requiring
additional skill.
• Apple's Find My and Google's Find My
Device allow a lost or stolen phone to be
remotely locked or wiped, which destroys
vital evidence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 71
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Artifacts – Network (Sources)
NetFlow
WeIPCANNOT
Collect network traffic prevent
as it entersall bad
or exits thingsA
interfaces.
network administrator can determine the source and
from happening, so we MUST be
destination of traffic, class of service, data types, etc.
ableanalysis
Packet to detect and
(pcap) respond.
Captures details about communications and the data itself.
Known bad traffic (block list)
C2 traffic, known malicious sites, etc. This one is big for IoCs.
Network device log files
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 72
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Intrusion Detection and Prevention
• Detection detects (passive), Prevention prevents (active)
• Network-based and host-based.
• NIDS – network-based intrusion detection.
• NIPS – network-based intrusion prevention.
• HIDS – host-based intrusion detection.
• HIPS – host-based intrusion prevention.
• Best used at crucial network chokepoints, such as the
between the demilitarized zone (DMZ) and internal
networks or between a VPN terminator and an internal
network.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 73
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Intrusion Detection and Prevention
• Detection detects (passive), Prevention prevents (active)
False positives
• Network-based and false negatives
and host-based.
must
• NIDS be handled
– network-based carefully.
intrusion detection.Called
• NIPS – network-based intrusion prevention.
“tuning”.
• HIDS – host-based intrusion detection.
• HIPS – host-based intrusion prevention.
• Best used at crucial network chokepoints, such as the
between the demilitarized zone (DMZ) and internal
networks or between a VPN terminator and an internal
network.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 74
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Security Information and Event Management
(SIEM)
• Centralization – centralizing log files keeps them organized
and protects them.
• Normalization – logs from different systems come in
different formats, a standardized format must be used for
correlation and comparison.
• Correlation and detection – incidents often span systems, so
logs/activities must be correlated for detection.
• Alerting – Specific events and/or incidents can be configured
to alert administrators.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 75
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Security Information and Event Management
(SIEM)
IMPORTANT:
• Centralization – centralizing log files keeps them organized
and protects them.
• Garbage in/Garbage out
• Normalization – logs from different systems come in
• SIEM
different operates
formats, on rules,
a standardized so the
format must be used for
correlation and comparison.
rules must be set correctly.
• Correlation and detection – incidents often span systems, so
logs/activities must be correlated for detection.
• Alerting – Specific events and/or incidents can be configured
to alert administrators.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 76
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 77
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 78
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).
• Steps to establish, implement, and maintain ISCM:
• Define an ISCM strategy;
• Establish an ISCM program;
• Implement an ISCM program;
• Analyze data and Report findings;
• Respond to findings; and
• Review and Update the ISCM strategy and program.
• A robust ISCM program thus enables organizations to move
from compliance-driven risk management to data-driven
risk management

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 79
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).
• Steps to establish, implement, and maintain ISCM:
• Define an ISCM strategy;
• Establish an ISCM program;
• Implement an ISCM program;
• Analyze data and Report findings;
• Respond to findings; and
• Review and Update the ISCM strategy and program.
• A robust ISCM program thus enables organizations to move
from compliance-driven risk management to data-driven
risk management

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 80
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Egress Monitoring
• Firewalls (and other filtering devices) should not only be
configured for ingress (inbound) traffic control and
monitoring, but also egress (outbound).
• This identifies potential data exfiltration and C2C traffic.
• Data Loss Prevention (DLP) is largely built on the premise of
egress filtering.
• DLP can also filter/alert on specific data patterns;
XXX-XX-XXXX, XXXX XXXX XXXX XXXX, etc.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 81
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management
• Log strategy is critical.
• Why are we logging?
• What should we be logging?
• Where should we be logging?
• What should trigger alerts and response?
• Etc., Etc., Etc.
• CIS Benchmarks, DoD STIGs, manufacturer documentation,
and specific standards can/should be all be leveraged.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 82
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management - Define Auditable Events and
Thresholds
• Log settings are/should be continually tuned.
• Important events to consider logging:
• Successful and unsuccessful access attempts like system logins, file
or data access, and application access
• Changes to user permissions, especially escalation like using sudo or
other admin privileges
• Changes to or disabling security tools and settings like DLP
• Copy or export of sensitive files
• Sensitive data transactions performed in applications

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 83
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management - Define Auditable Events and
Thresholds
• Important data to collect about the events:
• User or process IDs
• Timestamps, ideally in a standardized format like UTC or
in a standardize time zone used by the whole
organization
• Device identifiers, hostname, IP address, or similar Name
of object(s) accessed, like filename or function
• Policy identifiers that triggered the log event, such as a
failed login, admin privilege use, or file deletion

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 84
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management - Define Auditable Events and
Thresholds
DON’Tdata
• Important forget toabout
to collect protect the log
the events:
• User or process IDs
data, maintain it in compliance
• Timestamps, ideally in a standardized format like UTC or
with data retention
in a standardize requirements,
time zone used by the whole
organization
clipping levels,hostname,
• Device identifiers, etc. IP address, or similar Name
of object(s) accessed, like filename or function
• Policy identifiers that triggered the log event, such as a
failed login, admin privilege use, or file deletion

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 85
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence
Wikipedia has a good definition:
Cyber threat intelligence (CTI) is knowledge, skills and experience-based
information concerning the occurrence and assessment of both cyber
and physical threats and threat actors that is intended to help mitigate
potential attacks and harmful events occurring in cyberspace. Cyber
threat intelligence sources include open-source intelligence, social
media intelligence, human Intelligence, technical intelligence, device
log files, forensically acquired data or intelligence from the internet
traffic and data derived for the deep and dark web.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 86
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Feeds
• Information about threats learned about from various
sources according to industry, physical region, etc.
• Data can be used for threat hunting (looking for the specific
threat in an environment), integration into other tools like
DLP, SIEM, and SOAR.
• Commercially available (free and paid for) threat feeds and
several government-sponsored ones (mostly CISA in the
United States and the Canadian Centre for Cyber Security.
• Industry-specific groups known as information sharing and
analysis centers (ISACs) also offer threat information to their
members.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 87
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Feeds
• Information about threats learned about from various
sources according to industry, physical region, etc.
• Data can be used for threat hunting (looking for the specific
threat in an environment), integration into other tools like
DLP, SIEM, and SOAR.
• Commercially available (free and paid for) threat feeds and
several government-sponsored ones (mostly CISA in the
United States and the Canadian Centre for Cyber Security.
• Industry-specific groups known as information sharing and
analysis centers (ISACs) also offer threat information to their
members.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 88
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Hunting
• Seeking threats/threat actors in an environment, based upon
known and unknown threats.
• Human analysts and/or software agents.
• Within an organization, can be strategic, tactical or
operational.
• Outside of an organization, often done as part of security
research, where a community of researchers share work and
findings in the spirit of making everyone more secure.
• Details can be shared in social forums (blogs, conference
talks, Twitter, etc.) and information like IoCs are integrated
with security tools.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 89
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Hunting
Dark Web/Deep Web
Dark web – Content on non-publicly accessible networks
requiring the use of special access methods like the Tor
network.

Deep web - Content accessible over the internet but not

publicly exposed, such as online banking information, private
social media feeds, and even content behind paywalls like
news sites.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 90
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
User and Entity Behavior Analytics (UEBA)
Extends on an early type of cybersecurity practice – User
Behavior Analytics, or UBA – which uses machine learning and
deep learning to model the behavior of users on corporate
networks and highlights anonymous behavior that could be
the sign of a cyberattack.

Activities that deviate from expected activities (or baseline) are

flagged as suspicious and can be used as an input to other
security tools.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 91
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
User and Entity Behavior Analytics (UEBA)
Extends on an early type of cybersecurity practice – User
Behavior Analytics, or UBA – which uses machine learning and
deep learning to model the behavior of users on corporate
networks and highlights anonymous behavior that could be
the sign of a cyberattack.

Activities that deviate from expected activities (or baseline) are

flagged as suspicious and can be used as an input to other
security tools.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 92
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
The Theory:
• Start with a secure configuration, make only authorized and
secure changes, then the asset is maintained in a secure
state.
• Items under CM are called Configuration Items (CIs).
• CIs can be systems, endpoints, applications, etc.
• The “secure configuration” of a CI is called a baseline.
• Changes to the baseline must follow a formal change
management process.
CI sounds sexier than “Asset”?
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 93
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
The Theory:
• Start with a secure configuration, make only authorized and
secure changes, then the asset is maintained in a secure
state.
• Items under CM are called Configuration Items (CIs).
• CIs can be systems, endpoints, applications, etc.
• The “secure configuration” of a CI is called a baseline.
• Changes to the baseline must follow a formal change
management process.
CI sounds sexier than “Asset”?
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 94
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
• Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 96
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
• Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 97
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
• Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 98
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Insecure
Also configurations
referred to as “CM” are a VERY
common
Roles cause of
and responsibilities, vulnerabilities
how and
CM will work, etc. should
documented in a Configuration Management Plan.
be

incidents.– setup
Provisioning Useand automation
deployment of where
the secure
possible. (baseline).
configuration
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Maintain
Benchmarks,theand/or
secure configuration
vendor-supplied configuration
information.
through strict change management.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 99
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 100
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Need-to-Know/Least Privilege
Need-to-know and least privilege are often used
interchangeably, but they are different,
• Need-to-know is data-driven. Does a person/subject need to
know the information? Regardless of whether the
person/subject has privileges.
• Least privilege is system-driven. Does the person/subject
need this level of access to perform an authorized job
function? Also called “minimum necessary access”.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 101
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Separation of Duties and Responsibilities (SoD)
Limits the potential for misuse of resources or malicious
activities by separating process steps among multiple
personnel.
The person requesting access must not be the same one
authorizing access and/or granting access.
• Dual control - A process that uses two or more separate
entities (usually persons) operating in concert to protect
sensitive functions or information.
• Two-person integrity - no single person can access an
asset like a file or piece of equipment without another
authorized individual present.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 102
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Separation of Duties and Responsibilities (SoD)
Limits the potential for misuse of resources or malicious
activities by separating process steps among multiple
personnel.
The person requesting access must not be the same one
authorizing access and/or granting access.
• Dual control - A process that uses two or more separate
entities (usually persons) operating in concert to protect
sensitive functions or information.
• Two-person integrity - no single person can access an
asset like a file or piece of equipment without another
authorized individual present.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 103
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Privileged Account Management (PAM)
• Privileges, often called permissions, are the abilities a user is
granted on a system.
• Privileged accounts (those with “elevate” privileges) require
additional rigor during the access management lifecycle,
such as more frequent reviews, MFA, limited use, etc..
• Provisioning, Use, Review, and Deprovisioning requirements
must all be considered.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 104
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Job Rotation
• Two primary benefits
• Cross-training which improves operational resilience.
• Limits/mitigates internal fraud (and related)
• Personnel are less-likely to engage when they know
they rotate and
• Fraud is more likely to be detected.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 105
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Service-Level Agreements
• Defines the level of service expected from a third party:
• The metrics by which service is measured,
• Remedies or penalties should agreed-on service levels not
be achieved
• It is a critical component of any technology vendor contract.
• A mutual agreement of service level requirements (SLRs) is
an SLA, which codifies the shared understanding of SLRs.
• SLAs should be monitored continually and should be part of
third-party information security risk management.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 106
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 107
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Media Management
• Physical and electronic; paper, hard drives, devices, etc.
• ALL data should be classified as part of data management
practices.
• Labeling and Marking is driven from data classification
requirements, using the highest classification on the media.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 108
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Media Management
• Physical and electronic; paper, hard drives, devices, etc.
• ALL data should be classified as part of data management
practices.
• Labeling and Marking is driven from data classification
requirements, using the highest classification on the media.

https://frsecure.com/information-classification-policy-template
/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 109
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Media Management
• Physical and electronic; paper, hard drives, devices, etc.
• ALL data should be classified as part of data management
practices.
• Labeling and Marking is driven from data classification
requirements, using the highest classification on the media.

https://frsecure.com/information-classification-policy-template
/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 110
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Handling
• The labeling and marking communicates to the asset holder
what the protection requirements are (based upon the
classification).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 111
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Handling
• The labeling and marking communicates to the asset holder
what the protection requirements are (based upon the
classification).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 112
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Media Protection Techniques
Physical compromise is total compromise. RoT
Transporting Media
Encryption, hashing, and physical protections should all be
considered. Physical protections should also include
environmental controls.
Sanitization and Disposal
• Previously covered. Full disk encryption (FDE) is a
mitigating control.
• Data must be securely overwritten and/or destroyed.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 113
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 114
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
First, you MUST define what an “incident” is.

An event is something that happened.

An incident is something that happened an event

with a negative consequence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 115
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 116
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 117
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (andNOTintogated.
the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 118
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 119
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 120
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 121
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 122
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 123
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 124
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 125
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 126
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 127
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
https://frsecure.com/incident-response-log-template/
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 128
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response Testing and Exercise
Testing is mandatory.
Excellent training opportunities.
Improves response.
Can be used to integrate with other plans.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 129
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response - Reporting
Two messages, one internal and the other external.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 130
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response - Reporting
Two messages, one internal and the other external.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 131
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response - Reporting
Two messages, one internal and the other external.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 132
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 133
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Defense-in-depth where controls are layered to serve both
preventative and detective functions.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 134
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Defense-in-depth where controls are layered to serve both
preventative and detective functions.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 135
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Defense-in-depth where controls are layered to serve both
https://nsacyber.github.io/publications.html
preventative and detective functions.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 136
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Firewalls (review)
• Static packet inspection (stateless)
• Stateful packet inspection
• Web application firewall (WAF) and API gateway -
Specialized network access control devices designed to
handle specific types of traffic, unlike a generic firewall that
handles all network traffic. WAFs and API gateways analyze
traffic destined specifically for a web application or an
application's API.
• Host-based firewalls - These are installed on a specific
endpoint and use a ruleset specific to that endpoint.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 137
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Firewalls (review)
• Next-generation firewalls (NGFW) - These are more of a
marketing term than a unique type of firewall. Combines
network security services into a single device/system. Lower
overhead and cost (maybe), but higher complexity in a single
device (point of failure).
• Security groups: These exist in software defined networks
(SDNs) and cloud environments and serve many of the same
functions as a firewall.
Firewalls, security groups, and microsegmentation are useful
access control devices in a zero-trust network architecture,
where no part of the network is implicitly trusted.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 138
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Intrusion Detection Systems and Intrusion

Prevention Systems
Nothing new to cover here.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 139
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Intrusion Detection Systems and Intrusion

Prevention Systems
Nothing new to cover here.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 140
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Allowlisting/Blocklisting
Mostly changed to allowlisting and blocklisting.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 141
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Third-Party-Provided Security Services

• Pros and Cons
Common services:
• Security Operations Center (SOC): Full or partial SOC
outsourcing can be useful to deal with the cost and
complexity of building and running a 24x7 SOC operation.
• Digital Forensics and Incident Response (DFIR): look for
orgs without bias.
• Threat intelligence: can provide useful information about
threats that could target the organization and are often
industry- or technology-specific.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 142
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Sandboxing
• Run code, observe and analyze and code in a safe, isolated environment
on a network that mimics end-user operating environments.
• Designed to prevent threats from getting on the network and is
frequently used to inspect untested or untrusted code.
Honeypots/Honeynets
• Network-attached system as a decoy to lure cyber attackers.
• Used to detect, deflect and study hacking attempts to gain unauthorized
access to information systems.
• A honeynet is a collection of honeypots.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 143
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Be careful
Sandboxing with honeypots, entrapment
•versus enticement.
Run code, observe and analyze and code in a safe, isolated environment
on a network that mimics end-user operating environments.
• Designed to prevent threats from getting on the network and is
frequently used to inspect untested or untrusted code.
Honeypots/Honeynets
• Network-attached system as a decoy to lure cyber attackers.
• Used to detect, deflect and study hacking attempts to gain unauthorized
access to information systems.
• A honeynet is a collection of honeypots.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 144
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 145
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT
Five crazy facts on exactly how much time is spent on
debugging and code fixing in the software industry:
1. On average, a developer creates 70 bugs per 1000 lines of code (!)
2. 15 bugs per 1,000 lines of code find their way to the customers
3. Fixing a bug takes 30 times longer than writing a line of code
4. 75% of a developer’s time is spent on debugging (1500 hours a year!)
5. In the US alone, $113B is spent annually on identifying & fixing product
defects

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 146
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT
Five crazy facts on exactly how much time is spent on
debugging and code fixing in the software industry:
1. On average, a developer creates 70 bugs per 1000 lines of code (!)
2. 15 bugs per 1,000 lines of code find their way to the customers
3. Fixing a bug takes 30 times longer than writing a line of code
4. 75% of a developer’s time is spent on debugging (1500 hours a year!)
5. In the US alone, $113B is spent annually on identifying & fixing product
defects

Windows 10, 50MM LOC, 75,000 Bugs?!

The average car, according to KPMG, has over 150 Million lines
of code in it.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 147
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT
Patch Management
A generic security patch process incorporating all stakeholders must
include the following:
Vulnerability detection – Scanning, researcher, user reporting a bug, etc.
Patch publication - By the vendor or development team, once the
vulnerability is verified and relevant code is written to address it.
Evaluation - Patch applicability by each organization's administrative
personnel to determine if the patch is needed in each environment.
Testing - Ensure the patch won’t introduce problems.
Apply and Track - Ensure the patch doesn’t have a negative impact on
functionality.
Rollback - If issues are encountered.
Documentation - Of the system including the patch, which becomes the
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 148
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES
This is where we’ll stop for the night…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 149
 #MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION THREE

DOMAIN 7 – SECURITY OPERATIONS

UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES
This is where we’ll stop for the night…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 150
 #MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION THREE

SESSION THREE – POR FIN!

Homework:
• Catch up in you reading. You should be through (or at
least beginning) Domain 7 soon.
• Take practice tests.
• Review at least two of the references we provided in this
class (download for later use).
• Post at least one question/answer in the Discorder
Channel.

See you Wednesday!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 151