Skip to content

Latest commit

 

History

History
669 lines (447 loc) · 23.3 KB

README.md

File metadata and controls

669 lines (447 loc) · 23.3 KB

CCSP-Mnemonics

(Can also be useful for CCSK)

CCSP mnemonics for CISSP-passers.

CISSP-mnemonics | CCSP-Mnemonics

Useful resources

Secondary useful resources

Even more-Secondary resources

Domain 1

NIST 800-145 Essential characteristics of cloud

(Similar to ISO 17789:2014, but don't worry about it)

  1. On-demand self-serviceservice self

  2. Broad network accessbroad access over internet or WAN

  3. Resource poolingResources are somewhere in that cloud pool (within chosen geographic location)

    ice
    Swimming pool with resources... somewhere
  4. Rapid elasticity – (Repeat) (cloud) solution is like an elastic band – can scale up and scale down as needed. Elasticity implies scalability

  5. Measured service – pay exactly the measured amount

Other characteristics of cloud

  • Scalability – app/solution can "scale up" well for thousands of inputs or clients

  • Elasticity – (cloud) solution is like an elastic band – can scale up and scale down as needed. Elasticity implies scalability

  • Cloud bursting – Hybrid cloud elasticity (bursting)

  • Multitenancy – Sharing tenements (resources) with everyone, including Communists, Anarchists, and crooks

    Cuba

Cloud types

  • On-prem – Your datacenter
  • Private – CSP only services you (CSP is your Sugar Baby) – Expensive.
    • Community – (U.S. Intelligence) Community Cloud – cloud for those who share a mission!
  • Hybrid – Your infrastructure 🖤 CSP's cloud. Uses data portability technology and is hard to configure well.
  • Public – CSP's cloud for everyone, including crooks. Multitenancy.

Trusted Computing

  • TEE – Trusted Execution Environment (≈ TCB)
  • TPM/vTPM – Internal hardware for TEE/TCB (+ Secure Boot)
  • HSM – External dongle/card for TEE/TCB (+ Secrets Management)
    • Dedicated HSM – BEST Secrets Management. Better than any vTPM.

Special computing types

  • Confidential Computing – protect data in use (e.g. in RAM).
  • Quantum computing – protect secrets by watching for observer's principle/effect.

Cloud account types

  • Service – service-app only (not user)
  • Shared – shared by team

FIPS 140-2: Security Levels

  1. Lowest
  2. TPM, HSM [Cryptographic modules]
  3. (TPM, HSM) + Tamper-proof
  4. (TPM, HSM) + (Tamper-proof) + Self-destruct on attack

Mnemonics

  1. Lowest
  2. For cryptographic modules that protect sensitive information
  3. For physical contractors to prevent physical tampering
  4. Tamper-proof control where the data on the device is automatically erased if it detects a physical attack
  • Mnemonic 1: Low adoption of crypto in the physical world due to auto-erase
  • Mnemonic 2: Low amount of crypto will cause physical ASIC to self-destruct

Hypervisors

  • Type 1 – Bare metal (hardware)
  • Type 2 – Software

Mnemonic: Hardware first, then software

Extra auth types

  • 1-3: Something you know, something you have, something you are,
  • 4-5: Somewhere you are, something you do

5 Facets of Cloud/IOT interoperability – ISO/IEC 21823

  1. (Comply with) Policy
  2. (Expected) Behavior
  3. (Standard and secure) Transport
  4. (Exchange is) Syntactic (and thus Understandable)
  5. (Data meaning is) Semantic

Cloud Leadership

  • Governance – Policy & Central control
  • Orchestration – manage workloads
    • Scheduling – Orchestrate on automatic schedule
      • Distributed Resource Scheduling – VMWare-proprietary schedule optimization
  • Migration – from on-prem to cloud

Domain 2

Cloud DLM – Data Lifecycle Management

The cloud data lifecycle consists of:

  1. Create
  2. Store
  3. Use
  4. Share
  5. Archive
  6. Destroy
  • Letters: CS US AD
  • Mnemonic: CompSci (of) US (created) ActiveDirectory
  • Mnemonic 2: Cloud SUS ActiveDirectory

Storage types

By access chain

  • RAW – Direct hands-on low-level access some drive (including access to S.M.A.R.T. and drive firmware!). Access directly: You → Drive. Direct access means "Direct responsibility" for data remanence caused and found.
  • Volume-storage – High-level, abstracted ("abstractioned"), indirect, access to a (likely virtual) drive in a cluster: You → Cluster of drives → (Subcluster of drives? It's a cloud architecture after all) → Drive
    • File-storage – Store files in an abstract vacuum – like on Cisco devices.
    • Block-storage – Store blocks of data like on hard drives – you can orchestrate filesystems, NTFS Master File Tables, folders, files, file attributes etc.

By longevity

  • Ephemeral – RAM, RAMDisk (ephemeral volume), SWAP/Pagefile, temporarily LiveCD (whether RAM or HDD) destroyed after a session.
  • Long-Term – HDD RAID or LTO tapes for use after session (for example, for work on next day and backup)
    • Archival – (likely a subset of long-term storage) – good for archiving, but very slow data retrieval (hours/days).

Data types

  • Structured – SQL Database
  • Semi-structured – CSV, JSON, XML. Additionally, most often: Emails, HTML.
  • Unstructured – Files and everything else

Data Dispersion

Just a KISS term: "Store data in many places"

A bit like RAID, can be used to achieve diametrically opposed goals:

  • Availability (by orchestrating multiple copies of data), and
  • [Two-person control] Multi-person control (by splitting data into many pieces – thus potentially jeopardizing availability),

DLP deployment

(Rough unofficial order)

  1. First, eDiscover your data.
  2. Prioritize and categorize – thus label the data.
  3. After labeling, tag the data.
    • For CCSP: Tags for DLP; Labels for classification. (Tags explain the data, labels show sensitivity)
  4. After the data is tagged, set up DLP policies.
  5. Deploy DLP.
  6. Let DLP train on data. (you can assist, but for CCSP: DLP will work fine on its own)

Data DEclassification

  • Anonymization – Remove sensitive data and make the subject anonymous (like a hacker group). Can be required by GDPR.
  • Masking – Permanently mask and damage data, sub-options:
    • Randomize – meaningful parts of data replaced with meaningless random data
    • Hash – Tim Abdiukov becomes 0x3CFDFAC8
    • Shuffle – Everyone's data is shuffled, rendering data dirty and meaningless
    • Mask – Card number **** **** **** 9608 expiry 09/25 cvv ***
    • Delete – Delete
  • Tokenization – split sensitive and non-sensitive tables, use meaningless tokens to uniquely identify subjects where needed.

Other

  • IRM System – Internet (Requires) RSA Management – Protect sensitive data in transit.
    Not to be confused with DRM

Domain 3

Recovery sites

(same as CISSP, plus):

  • Cloud site – much more cost-effective than hot site, however, takes longer to reallocate to. Is a viable replacement to Hot and Warm sites.

Uptime Institute: Availability tiers

  1. 99.671%
  2. 99.741%
  3. 99.982%
  4. 99.995%

Mnemonic 1

TIERS1234
123456789
-----6789

Mnemonic 2:

TIER
4321
9876

(Compass)-bound communication

Occurs in SDNs,
Cisco

CSA CIR

Cloud IR framework by CSA. Based on NIST 800-61,

NIST 800-61

4 stages of Incident Response,

  1. Preparation
  2. Detection & Analysis
  3. Containment, Eradication and Recovery
  4. Post-mortem

(Reminiscent of CISSP's DRMRRRL (DRM RRR L))

Planes

  1. Data plane – data traffic
  2. Control plane – control of low-level data flow configuration
  3. Management plane – high-level management and reporting

Ping, power, pipe

For designing a datacenter

  1. Ping = Ping to remote access (RDP/SSH)
  2. Power = Electric Power
  3. Pipe = ISP/internet/YouTube

How to design a datacenter

(Not-so-serious guide)

  • Step 1: Pick a legal heaven location
  • Step 2: Redundancy is key
  • Step 3: Do all nice things (ISC)² likes (protect people, create plans for a UFO attack)
  • Step 4: Add LOTS of cables everywhere
  • Step 5: ???????
  • Step 6: PROFIT!

Domain 4

Threat Modeling Approaches


DREAD is forced away by STRIDE
DREAD is forced away by STRIDE
  • DreaDDamages (by attacker) – developed by Microsoft – replaced with STRIDE. DREAD is forced away by STRIDE
  • STRIDE – Prime model by Microsoft.
    • Tampering – always of data, not systems

  • PASTA – for code. PASTA (spaghetti) code.

Stand With Ukraine
ATACMS... I mean ATASM
  • ATASM – Serial ATA (SATA) is serial – ATASM is Serial. Powerfully addresses surface like ATACMS. ATASM is also a metamodel. ATASM – ATA Serial Metamodel.
    • Architecture (Analysis)
    • Threats (existing: actors, goals)
    • Attack Surface (existing)
    • Mitigations (existing)

(Architecture Threats – Attack Surface – Mitigations)

Terms

  • CSA – Cloud Security Alliance (organization)
  • SBOM – List software's BOMbay-made libraries.
    • SCAAnalytical Actions upon SBOM.
    • SCM – Software Configuration Management (software in secure configuration – protect against scummy configurations like allowlist *.*)
  • Dynamic Secrets – JIT secrets.
  • KMS – Key Management Service = Secrets Server.

SDLC

  1. Planning Analysis (for ongoing project)
  2. Requirements Analysis (to finish project) [for CCSP: separate phase]
  3. Define (goals with user)
  4. Design (map technical control plane)
  5. Develop (implement)
  6. Test (verify)
  7. Deploy/Release/Maintain

PR DDD TD

SDLC and Security

  1. Security starts as early as Define stage.
  2. Security inserts controls at Design stage.

SOAP vs REST

  • SOAP – (Endless) SOAP opera of using Microsoft's XML – just like Microsoft's Internet Explorer.
  • RESTRESTructured (modern) API using URIs

FAM, DAM

Neither is an IDS/IPS

  • File Activity Monitoring (FAM) – Audit user activities intelligently (on) Files
  • Database Activity Monitoring (DAM) – Audit user activities intelligently (on) Databases

Gateways

  • SWG (Secure Web) Gateway/Virtual Security Appliance (VSA) = Virtual Cloud Firewall host. Heavy duty, advanced functionality.
  • API Gateway = API WAF/IPS and monitoring
  • XML Gateway = XML (SOAP) WAF/IPS and monitoring.

Encryption

  • Crypto-shredding – Secure data deletion with double-encryption. Awesome for cloud.
  • Full Disk Encryption (FDE) – BitLocker/dm-crypt
  • Transparent Data Encryption (TDE) – encryption/decryption of data at rest, transparent to the legacy app (no app changes required)

Functional vs Non-Functional Testing

  • Functional – (rather facts-based) – Does app Function as expected
  • Non-Functional – (rather bias-based) – Is the app bulky, too slow, susceptible to DDoS, and has an ugly UI?

Testing Target

  • Static (SAST) – Code
  • Dynamic (DAST) – Runtime
  • IASTInteractive AST – Agent on backend to show where the error is,
IAST IAST
IAST Example IAST Example

Secure coding guidelines

(taken directly from Alukos + my notes)

  • OWASP Application Security – guidelines.
  • OWASP's ASVS – AppSec metric Standard for: SAST, DAST, IAST. ASVS has 3 levels.
  • Software Assurance Forum for Excellence in Code (SAFECode)

Other

  • Abuse Case Testing – (Intentional) misuse case testing (more info).
    • (Abuse Case Testing ≈ Misuse Case Testing)

Domain 5

Cloud security standards

  • ISO/IEC 20000-1 – IT Service Management (Directly to Domain 5, like ITILv4)
    • Mnemonic 1: SLA downtime should all be 0s
    • Mnemonic 2: At 0 years you work in IT Support, at 7 years you work in Security Management
    • Mnemonic 3: 0s are for IT staff, 7s (as in Boeing 777) are for Security

  • ISO/IEC 27001 – Base.
  • ISO/IEC 27002 – Base lite (for gap analysis – fits like LEGO with 27001)

  • ISO/IEC 27001 – Base.
  • ISO/IEC 27017 – Base + Cloud.
  • ISO/IEC 27018 – Base + Cloud + PII. HIGH level of assurance.

  • ISO/IEC 27001 – Base.
  • ISO/IEC 27701 – Base + Privacy focus

  • ISO 17789:2014 – 56709 17789 is a go-to number for who must do what in the cloud. (condensed info).
  • ISO 22301:2019 – Business Continuity management. Just in time for COVID.
  • ISO 27036 – Supply Chain Risk Management (SCM/SCRM) for ISO 27001 users.

ISO RMF

  • ISO 31000 – Overall/general RMF
    • ISO 27000-5 – InfoSec RMF

CRS

  • OWASP CRS – Managed best firewall practices

Configuration Management

  • Variable – one value for a configuration parameter
  • Template – Template. template with many {{variables}} => CI.
  • CI – Configuration Item – configuration for one app
  • CMDB – Collection of CIs (Configuration Items) – configuration for many apps.

  • CMB – Configuration Management Board (not baseline)

Guessed Configuration Management (CM) Steps

  1. Asset inventory.
  2. Create baseline.
  3. Establish a CMB board (like CAB).
  4. Deploy baselined assets.
  5. Document approved deviations (if needed).

Terms

  • VPC – Virtual Private Cloud – cloud 'VLAN/intranet' area
  • RDM – Release & Deployment Management (plan/policy)
  • Virtual Client ≈ VDI

Cloud forensic eDiscovery standards

  • CSA Domain 3 – Legal concerns: security, privacy, SLAs.
  • NIST IR 8006 – Guidance on DFIR in the cloud.

ISO

  • ISO/IEC 27037 – Initial: Identify, Collect, Preserve e-evidence (Digital Forensics)
  • ISO/IEC 27050 – eDiscovery

IAPP

  • ISO/IEC 27041 – Investigate
  • ISO/IEC 27042 – Analyze (evidence)
  • ISO/IEC 27043 – Principles & Processes

IAPP – Investigate, Analyze, Principles&Processes

DF-IAPP
37-1233

Another meaning of IAPP.

Also, IAPP – International Association of Privacy Professionals. Another acronym found in CCSP, about similar topics. So, privacy=IAPP. eDiscovery=IAPP.

Legal

  • CLOUD Act 2018 – FBI can access CLOUD even outside the U.S. (in conflict with GDPR)

SOC

  • Sentiment Analysis – AI + ML to gain people's Sentiment on social media (Cambridge Analytica targeted Sentiment to Donald Trump)

Problem vs Incident

Trick: Replace "Problem" with "Bad Driver".

Bad Drivers are a Problem – car crashes as a result of their driving are Incidents

All problems bad drivers potentially cause incidents, but not all bad drivers result in incidents.

Trick 2: My boyfriend is a walking problem! He'll eventually beat me down.

ITILv4

(This is optional knowledge, but commonly referenced)

Availability Management

  1. Designing services for Availability
  2. Availability Testing
  3. Availability Monitoring and Reporting

IR

Is to Recover

Capacity and Performance Management

Highway
Manage highways & their components!

Continual Service Improvement (CSI)

  • Process Owner ≈ Data Owner
  • Process Architect ≈ Data Custodian
  • CSI ManagerMid-level managers who just ensure ITSM (clue: mid-level managers are suckers for fancy job titles)

Service-level Management (SLM)

  1. Identification service requirements
  2. Agreement sign-off and service activation
  3. Service-level monitoring and reporting
  4. Maintenance of SLM framework

Disaster Recovery Management

  • ITIL "recovery plan" – Detailed master plan for BCP/DRP, can also include data restoration to RPO.
  • BCP Strategy – Strategy for business (functions)
  • IT Service Continuity – Specific cases continuity plan (i.e., if a specific host failed)
  • BCP Invocation Guidelines – Invocation

Vulnerability Scanning Requirements from CSP

  1. Only scan your internal systems
  2. Don't impact other customers
  3. Date and time – for detailed scanning

ISO 20000-1 → Capacity Management

Capacity management of YOUR:

  • Business
  • Service
  • Component

Domain 6

Laws

  • Stored Communications Act (SCA) 1986 – Stored Communications (Discord, email) are private communications. Dated, but in force.
  • GAPP – U.S. Optional (gapped) GDPR
  • Privacy Shield – DEAD privacy partnership between the US and EU (For CCSP OPT – still alive)

3rd party organizations and standards

  • BICSI – like SCSI – cables organization

NERC/CIP
Electro NERD
  • NERC/CIP – Electro NERD (and simp)

Compliance

  • SAS 70 – outdated like the 70s SOC 1
  • SSAE 16 – outdated SSAE 18
  • AICPA (USA) → SSAE → SOC (1/2/3)
  • IAASB (EU) → ISAE → ISAE 3402
  • ISAE ≈ SSAE
  • ISAE 3402 ≈ SSAE SOC 2
  • FedRAMP – Federally screened CSPs for being RAMPs

CSA

CSA → STAR

CSA STAR – for CSPs. Lightweight assurance method used by CSP, customer, auditor, consultant.

CSA STAR Levels,
  1. Self-assessment (internal audit, low assurance)
  2. Third-party audit (external audit, high assurance)
  3. Continuous auditing

CSA STAR – SEC (Self, External, Continuous)

ISMS vs IISCS

  • ISMS – Identify and monitor risk
  • IISCS – Mitigate risk

Trick: ISMS is a radar that sends SMS, IISCS is a fighter jet with 2 I-shaped harpoon rockets and 2 S-shaped hooks.

ISMS IISCS
ISMS IISCS

Risk

  • Profile – Risks (profiles) that stand up to the organization.
  • Posture – How well organization holds (poses) against risks.
  • Appetite = Tolerance – How hungry is the organization to take more risk.
  • Treatment = Management

GDPR Roles

  • Data Protection Officer (DPO) – Mandatory compliance officer
  • Data Controller = Data Owner (controls data life)

Business Agreements

Master-Slave

  • MSA – Master Services Provided. Masters of Airlines.
  • SOW – Slave (small) Jobs Worked-on.
  • MOU – Completely different beast – Confirms understanding of each-other's "moo" (talk).
  • SLA – Performance Expected
  • OLA – Like Windows OLE (internal, under-the-hood) – under-the-hood 'SLA' internal agreement between (C)SP and its brokers.
  • NDA – Confidential clauses (SLA is not suitable)
  • BPA – BiPlane Joint-Venture agreement

Vendor – sticky situations

  • Viability – Vendor may die like Viacom
  • Lock-in – Proprietary infrastructure forces you to stay with vendor
  • Lock-out – cannot access living vendor. Can also sometimes mean "Viability".

Other

  • PIA – like BIA – Privacy impact analysis.
  • Doctrine of Proper Law – properly defines jurisdiction of law applied in a case

Domain 7 (meta-domain)

7

CSA

CSA

  1. CSA Cloud Controls Matrix (CCMv4) – Cloud Risk Management framework by CSA, mapped to trusted organizations&frameworks like ISO, ISACA, PCI. Simplify regulatory compliance with CSA's prime product!
    • Mouthful Trick: ISACA has CISM, CSA has ISACA in CCM
  2. CSA "Egregious 11" – Top cloud threats
  3. CSA Checklists – VERY SAFE baseline guides
  4. CSA CIR – Cloud IR framework by CSA. Based on NIST 800-61.
  5. CSA Domain 3: Legal Issues – Security guidance of legal issues
  6. CSA STAR – Lightweight compliance standard. Level 1 – Internal audit. Level 2 – External audit.
  7. CSA CAIQ – Consensus Assessment Initiative Questionnaire – optional IQ questions to access CSP Security

Comparisons

  • anti-DDoS: CDN > CSP's anti-DDoS capabilities
  • API anti-DDoS: API Gateway > IPS [API Gateway can help understand DDoS traffic]
  • anti-DDoS: Authentication > Scale
  • AuthN of (cloud) hosts: Host digital certificates
  • SSO – One org (+IDaaS); Federation – 2+ orgs.

IaaS, PaaS, SaaS

IPS logo
IPS
IPS - IaaS, PaaS, SaaS
  • IaaS – Many hosts Infrastructure. Best if your app really requires complex infrastructure (such as 5 databases, 10 firewalls, etc).
  • PaaS – One host. Best if: your app can run on 1 host, and you are concerned about: liability, security, time, and money wasted configuring code and infrastructure. PaaS is much more liability-optimal than IaaS. PaaS is the easiest to administer. PaaS your code – so IaC is PaaS.
  • SaaS – Service. Service is the most affordable, has least liability to the customer and the cheapest, but it takes time to configure code to work with SaaS and cloud.

Finally,

  • FaaS – serverless (fatherless) IaC, cheaper and simpler than PaaS.