0% found this document useful (0 votes)

19 views

2022 FRSecure CISSP Mentor Program - 2022 - Class Ten

Uploaded by

PAUL VINCENT FAJARDO

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

19 views

2022 FRSecure CISSP Mentor Program - 2022 - Class Ten

Uploaded by

PAUL VINCENT FAJARDO

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 172

#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2022
Class #10 – Domain 7
Evan Francen
Evan Francen – FRSecure and SecurityStudio Co-Founder & CEO

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

I’M BACK!
Lucky you…

UGH! Again?!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Communication and Network
Security (pp. 463 - Kindle)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 2
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Communication and Network
Security (pp. 463 - Kindle)

Only 15 sections to cover in this most

excellent domain…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 3
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

FRSECURE CISSP MENTOR PROGRAM LIVE

STREAM
THANK YOU!
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
• DO NOT share or post copywritten materials. (pdf of book)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 4
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

GETTING GOING…
Managing Risk!

Studythrough
We’re Tips: Chapters 1, 2, 3, and part way into Chapter
4!
• Study in small amounts frequently (20-30 min)
•• Check-in.
Flash card and practice test apps help
•• How many
Take napshave read
after Chapter
heavy 1, 2(aka
topics & 3?Security Models)
Write things down, say them out loud
•• Questions?
• Use the Slack Channels
• Exercise or get fresh air in between study sessions

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 5
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

GETTING GOING…
Managing Risk!

Stick with it. You’ll be glad you did. I promise.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 6
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

GETTING GOING…
THANK YOU!
• Christophe – GREAT job Monday on Domain #6 -
Security Assessment and Testing!
• Ryan is keeping us ready with all the live streamy
techy stuff!
• Ron is still EL MEJOR PROFESOR! Answering
questions ALL DAY.
• Brandon Matis running things and things.
• Many unsung FRSecure heroes doing heroey
things.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 7
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 8
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Security Operations (pp. 463 -
Kindle)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 9
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
1. What is the essential difference between a self-
audit and an independent audit?
a. Tools used
b. Competence
c. Results
d. Objectivity

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 10
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
1. What is the essential difference between a self-
audit and an independent audit?
a. Tools used
b. Competence
c. Results
d. Objectivity

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 11
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
2. Which of the following is the process of
repeating a portion of a test scenario or test plan
to ensure that changes in information system
have not introduced any errors?
a. Black box testing
b. Pilot Testing
c. Parallel Test
d. Regression Testing

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 12
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
2. Which of the following is the process of
repeating a portion of a test scenario or test plan
to ensure that changes in information system
have not introduced any errors?
a. Black box testing
b. Pilot Testing
c. Parallel Test
d. Regression Testing

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 13
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
3. What would a significant benefit be from
conducting an unannounced penetration test?
a. The pen test would be a more realistic analysis of the
target network
b. The security analyst could not provide an honest analysis
c. It is best to catch critical infrastructure unpatched:
d. Network security would be in a "best state" posture

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 14
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
3. What would a significant benefit be from
conducting an unannounced penetration test?
a. The pen test would be a more realistic analysis of the
target network
b. The security analyst could not provide an honest analysis
c. It is best to catch critical infrastructure unpatched
d. Network security would be in a "best state" posture

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 15
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
4. Which of the following answers represents part
of the attack phase of a penetration test?
a. Getting the legal documents signed
b. Active or Passive Reconnaissance
c. Escalate Privileges
d. Removing all tools and exploits:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 16
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
4. Which of the following answers represents part
of the attack phase of a penetration test?
a. Getting the legal documents signed
b. Active or Passive Reconnaissance
c. Escalate Privileges
d. Removing all tools and exploits:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 17
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
5. Which well-known model is used for
understanding the maturity level of a process?
a. The Zachman Framework
b. CMM - Capability Maturity Model
c. HIPAA
d. PCI-DSS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 18
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
5. Which well-known model is used for
understanding the maturity level of a process?
a. The Zachman Framework
b. CMM - Capability Maturity Model
c. HIPAA
d. PCI-DSS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 19
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 20
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
6. What would you call a collection of tools that allow
enterprises to continually and consistently simulate the
full attack cycle (including insider threats, lateral
movement, and data exfiltration) against enterprise
infrastructure, using software agents, virtual machines,
and other means?
a. The pandora toolbox
b. Advanced Persistent Threats
c. Such a collection of tools does not exist
d. Breach & attack Simulation
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 21
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
6. What would you call a collection of tools that allow
enterprises to continually and consistently simulate the
full attack cycle (including insider threats, lateral
movement, and data exfiltration) against enterprise
infrastructure, using software agents, virtual machines,
and other means?
a. The pandora toolbox
b. Advanced Persistent Threats
c. Such a collection of tools does not exist
d. Breach & attack Simulation
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 22
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
7. Organizations should not view disaster recovery
as which of the following?
a. Committed expense
b. Enforcement of legal statutes
c. Compliance with regulations
d. Discretionary expense

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 23
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
7. Organizations should not view disaster recovery
as which of the following?
a. Committed expense
b. Enforcement of legal statutes
c. Compliance with regulations
d. Discretionary expense

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 24
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
8. What is a common way of preventing users from
running code that has been altered or corrupted
since it was originally approved and installed?
a. Software Accreditation
b. IDEA - International Data Encryption Algorithm
c. Code Signing
d. Code Hashing

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 25
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
8. What is a common way of preventing users from
running code that has been altered or corrupted
since it was originally approved and installed?
a. Software Accreditation
b. IDEA - International Data Encryption Algorithm
c. Code Signing
d. Code Hashing

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 26
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
9. Which answer is generally not associated with a
resource exhaustion attack?
a. Teardrop Attack
b. Fork Bomb
c. Smurf Attack
d. Memory Leak

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
9. Which answer is generally not associated with a
resource exhaustion attack?
a. Teardrop Attack
b. Fork Bomb
c. Smurf Attack
d. Memory Leak

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 28
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS. 2
1
6
5
4
8
3
0
7
10
9
How about some practice ones?
10. What process can tell an executive manager
about the state of the organization's security
program?
a. Internal Risk Assessment
b. A Security Audit
c. Change Control Processes
d. Security Incident Logs

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 29
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
10. What process can tell an executive manager
about the state of the organization's security
program?
a. Internal Risk Assessment
b. A Security Audit
c. Change Control Processes
d. Security Incident Logs

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 30
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEN

QUESTIONS.
How about some practice ones?
10. What process can tell an executive manager
about the state of the organization's security
program?
a. Internal Risk Assessment
b. A Security Audit
There!
c. Change Control Processes
10 outta 10.
d. Security Incident Logs

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Security Operations (pp. 463 -
Kindle)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 32
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
• Welcome, Reminders, & Introduction
• Questions
• Domain 7 – Security Operations (pp. 463 -
Kindle)

Now this…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 33
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 -
Kindle)
• 7.1 - Understand and comply with investigations
• 7.2 - Conduct logging and monitoring activities
• 7.3 - Perform Configuration Management (CM) (e.g., provisioning,
baselining, automation)
• 7.4 - Apply foundational security operations concepts
• 7.5 - Apply resource protection
• 7.6 - Conduct incident management
• 7.7 - Operate and maintain detective and preventative measures
• 7.8 - Implement and support patch and vulnerability management

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 34
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 -
Kindle)
• 7.9 - Understand and participate in change management processes
• 7.10 - Implement recovery strategies
• 7.11 - Implement Disaster Recovery (DR) processes
• 7.12 - Test Disaster Recovery Plans (DRP)
• 7.13 - Participate in Business Continuity (BC) planning and exercises
• 7.14 - Implement and manage physical security
• 7.15 - Address personnel safety and security concern

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 35
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

Alright, piece of cake.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 36
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

INTRODUCTION
Agenda
Domain 7 – Security Operations (pp. 463 -
Kindle)
•
• Hold up a second
7.9 - Understand and participate in change management processes
7.10 - Implement recovery strategies

though…
• 7.11 - Implement Disaster Recovery (DR) processes
• 7.12 - Test Disaster Recovery Plans (DRP)
• 7.13 - Participate in Business Continuity (BC) planning and exercises
• 7.14 - Implement and manage physical security
• 7.15 - Address personnel safety and security concern

Alright, piece of cake.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 37
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DAD JOKE…
If you don’t like it, it’s Brad’s fault!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 38
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DAD JOKE…
If you don’t like it, it’s Brad’s fault!

How many tickles does it take to make an

octopus laugh?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 39
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DAD JOKE…
If you don’t like it, it’s Brad’s fault!

How many tickles does it take to make an

octopus laugh?
Ten Tickles!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 40
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DAD JOKE…
If you don’t like it, it’s Brad’s fault!

How many tickles does it take to make an

octopus laugh?
Ten Tickles!
You get it right?!
Ten tickles, like tentacles.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 41
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DAD JOKE…
If you don’t like it, it’s Brad’s fault!

How many tickles does it take to make an

octopus laugh?
Ten Tickles!
You get it right?!
Ten tickles, like tentacles.
Octopuses have tentacles! LOL!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 42
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DAD JOKE…
If you don’t like it, it’s Brad’s fault!

How many tickles does it take to make an

octopus laugh?
Ten Tickles!
You get it right?!
Ten tickles, like tentacles.
NO?
Octopuses have tentacles! LOL! Whatever…
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 43
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Introduction
Security operations is about day-to-day operations
and maintenance of the information security
program.
• Also known as “SecOps”.
• If information security is “risk management”,
SecOps is continual risk management.
• Take all the things you’ve learned so far and
operationalize them.
• …and a little more.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 44
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Topics include:
• Evidence collection and handling
• Reporting and documentation
• Investigative techniques
• Digital forensics tools, tactics, and procedures
• Artifacts (e.g., computer, network, mobile device)

It’s important to get this right. A CISSP isn’t expected to

be a DFIR expert, but they must know the basics.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 45
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
• Evidence supports something an assertion or proposition.
• The better the evidence, the better the support.
• There are four types evidence by which facts can be proven
or disproven at trial which include:
• Real evidence;
• Demonstrative evidence;
• Documentary evidence; and
• Testimonial evidence.

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 46
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Real evidence
• often called physical evidence: material items involved in
a case, objects and things a jury can physically hold and
inspect. Examples of real evidence include fingerprints, blood
samples, DNA, a knife, a gun, and other physical objects.
• Usually admitted because it tends to prove or disprove an
issue of fact in a trial.
• In order to be used at trial, real evidence must be
relevant, material, and authentic. MUST establish the
item's chain of custody.

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 47
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Demonstrative Evidence
• Usually charts and diagrams, to demonstrate or illustrate
the testimony of a witness.
• It's admissible when it fairly and accurately reflects the
witness's testimony and is more probative than
prejudicial. Maps, diagrams of a crime scene, charts and
graphs that illustrate physical or financial injury to a
plaintiff are examples of demonstrative evidence.
• Witnesses create and use demonstrative evidence at trial
and opposing counsel may use the same evidence to
prove contrary positions.
https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 48
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Documentary Evidence
• The production of documents at trial is documentary
evidence.
• Presented to prove or disprove certain allegations at trial.
• Documents can be from a vast number of sources from
diaries, letters, contracts, newspapers, and any other type
of document that you can think of.
• There are restrictions and qualifications for using
documents at trial as there is a need to make sure they
are authentic and trustworthy.

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 49
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Evidence Collection and Handling
Testimonial Evidence]
When a person gets up on the stand at trial and relates
something that they saw or heard, that is testimonial
evidence. It is simply a witness giving testimony under oath
about the facts of the case.

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 50
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OK, back to our regularly scheduled programming…

https://www.findlaw.com/criminal/criminal-procedure/real-and-demonstrative-evidence.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 51
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Collecting Digital Evidence
• The integrity of the evidence is CRITICAL!
• Rule of Thumb – IF YOU’RE GOING TO FAST TO DOCUMENT
EVERYTHING, THEN YOU’RE GOING TO FAST.
• Document dates, times, physical locations, logical locations,
all actions that were taken, observations, etc. TIP: Take
pictures too.
• NEVER tamper with original versions of anything. ALWAYS
make write-block, make bit-level copies, and investigate on
the copies. TIP: Make two copies and store the original
safely.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 52
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 53
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 54
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Handling Digital Evidence
• Did I mention integrity?!
• Every second must be accounted for from the second you
encounter evidence until you no longer have any contact
with the evidence.
• Chain of Custody must be maintained.
• A well-known standard: ISO/IEC 27037:2012, I’ll post a copy for
“Information
technology – Security techniques – Guidelines for
your reading
identification, collection, acquisition and preservation of
digital evidence” enjoyment. We like
giving away free stuff!
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 55
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Handling Digital Evidence
• Did I mention integrity?!
• Every second must be accounted for from the second you
encounter evidence until you no longer have anyHere’s
contact another
with the evidence.
• Chain of Custody must be maintained.
good resource.
https://nvlpubs.nist.gov/ni
• A well-known standard: ISO/IEC 27037:2012, “Information
stpubs/Legacy/SP/nistspeci
technology – Security techniques – Guidelines foralpublication800-86.pdf
identification, collection, acquisition and preservation of
digital evidence”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 56
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
• Again, document EVERYTHING.
• As much as possible, avoid
subjective interpretations and space
for subjective interpretations.
• As much as possible, ensure
evidence is admissible (even if
you’re not sure that your evidence
will be presented in court).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 57
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
Admissibility of Evidence:
• Accuracy – lacking errors.
• Authenticity - undisputed origin.
• Comprehensibility – paint as much of the picture as
possible.
• Convincing – certainty in conclusions.
• Objective – what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 58
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
Admissibility of Evidence:
• Accuracy – lacking errors.
Seek advice from legal counsel, law
• Authenticity - undisputed origin.
enforcement, or other investigative
• Comprehensibility – paint as much of the picture as
possible. professionals to ensure evidence you
• Convincingcollect,
– certaintyhandle, and prepare is
in conclusions.
• Objective – adequate
what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 59
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
https://www.law.cornell.edu/wex/admissible_evidence
Admissibility of Evidence:
• Accuracy – lacking errors.
Seek advice from legal counsel, law
• Authenticity - undisputed origin.
enforcement, or other investigative
• Comprehensibility – paint as much of the picture as
possible. professionals to ensure evidence you
• Convincingcollect,
– certaintyhandle, and prepare is
in conclusions.
• Objective – adequate
what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 60
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Reporting and Documentation
https://www.law.cornell.edu/wex/admissible_evidence
Admissibility of Evidence:
• Accuracy – lacking errors.
Seek advice from legal counsel, law
• Authenticity - undisputed origin.https://www.law.cornell.edu/rules/fre/rule_802
enforcement, or other investigative
• Comprehensibility – paint as much of the picture as
possible. professionals to ensure evidence you
• Convincingcollect,
– certaintyhandle, and prepare is
in conclusions.
• Objective – adequate
what the evidence says, not what you say. Facts
versus opinions.
• Admissible – for the court in question.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 61
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Investigative Techniques
Four main techniques
• Data capture – manual and automatic capture.
• Interviews – ideally from someone who was a witness to an
incident or a person with first-hand knowledge of the
incident.
• Interrogations – usually done by law enforcement following
stringent rules.
• External requests – usually warrants and subpoenas.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 62
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Investigative Techniques
Four main techniques
• Data capture – manual and automatic capture.
• Interviews
Let the– ideally fromdraw
evidence someone who
your was a witness
conclusions. If to an
incident
theor a person with
evidence isn’t first-hand
availableknowledge of the
(coming later),
incident.
you may not be able to draw conclusions.
• Interrogations – usually done by law enforcement following
stringent rules.
When in question, leave it to the experts.
• External requests – usually warrants and subpoenas.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 63
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 64
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Forensics investigators (the
good ones) have a
“jumpbag” with their tools
ready to use.

https://www.linkedin.com/pulse/cyber-security-incident-
handlers-jump-bag-jean-francois-stenuit/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 65
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Write blockers and drive imagers
designed to allow examination or imaging of a storage device,
typically a hard drive, without writing any data to the storage
device, which would violate the integrity of the evidence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 66
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Write blockers and drive imagers designed to allow
examination or imaging of a storage device, typically a hard
drive, without writing any data to the storage device, which
would violate the integrity of the evidence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 67
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 68
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 69
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 70
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Faraday containers
Protects evidence from electromagnetic interference.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 71
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Video and audio recording tools
I’ve heard it in court before, “video doesn’t lie”. Might be sorta
true, but video and audio can be very compelling. Can save a
lot of time during an investigation too.

In general, Secure the physical ”crime

scene” first.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 72
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
• Network traffic analysis tools - Wireshark (and similar) for pcap and
analysis.
• Log analysis tools - SIEM (and similar) to reconstruct events across
systems and for context.
• Data recovery tools – file recovery for things deleted or overwritten
• Virtual machines – useful for rebuilding (isolated) environments.
• Code analysis tools - decompilers and reverse-engineer software.
• Hashing tools – integrity verification.
• Toolkits – software suite specifically designed for forensic investigations.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 73
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 74
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 75
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures
• Digital forensics is a specialized skill.
• Strict procedures should be prepared ahead of time and followed for
conducting a forensic investigation.
• Either part of an incident response (IR) plan or a supplement to an IR
plan.
• Documented standards for the collection, handling, and investigation of
digital evidence include ISO 27041, 27042, 27043, and 27050
• SANS - https://www.sans.org/posters/?focus-area=digital-forensics

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 76
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 77
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 78
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 79
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Techniques and Procedures (generic procedure steps in book)
1. Define priorities
2. Identify data sources
3. Plan to collect data and execute
4. Document and preserve integrity
5. Look for hidden or erased data
6. Perform analysis

In reality, you are performing analysis continually (so this is not

serial). ALWAYS let the evidence (and logic) lead the
investigation. Do NOT make assumptions whenever possible.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 80
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Cloud-Specific

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 81
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Digital Forensics Tools, Tactics, and Procedures
Cloud-Specific

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 82
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 83
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts

Locard’s Principle

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 84
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Computers (Sources)
Windows Specifics matter.
Logs (Event Viewer and others), Recycle Bin, Registry, etc.
Apple macOS
Logs (Console and others), Trash, Time Machine, property list
(PLIST) files.
Linux
/usr folder, /tmp (volatile temporary files), /var (caches, log files,
and information about currently running processes).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 85
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Computers (Sources)
Browsers Specifics matter.
Cache, history, cookies, etc.
Local Storage
File remnants, deleted files, file movement, etc.
Cloud Storage
Not unlike local storage, but investigators typically don’t have
the same level of access; therefore, requests are made
informally and/or formally of cloud providers.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 86
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Network (Sources)
NetFlow Specifics matter.
Collect IP network traffic as it enters or exits interfaces. A
network administrator can determine the source and
destination of traffic, class of service, data types, etc.
Packet analysis (pcap)
Captures details about communications and the data itself.
Known bad traffic (block list)
C2 traffic, known malicious sites, etc. This one is big for IoCs.
Network device log files
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 87
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Network (Sources)
NetFlow Specifics matter.
Collect IP network traffic as it enters or exits interfaces. A
network administrator can determine the source and
destination of traffic, class of service, data types, etc.
Packet analysis (pcap)
Captures details about communications and the data itself.
Known bad traffic (block list)
C2 traffic, known malicious sites, etc. This one is big for IoCs.
Network device log files
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 88
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Understand and comply with investigations
Artifacts – Mobile Devices (Sources)
• Apple's iOS and Google's Android (mostly
• Mobile device encryption is a significant
challenge.
• Cellular, WiFi, Bluetooth, and NFC are
unique forensic opportunities requiring
additional skill.
• Apple's Find My and Google's Find My
Device allow a lost or stolen phone to be
remotely locked or wiped, which destroys
vital evidence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 89
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Artifacts – Network (Sources)
NetFlow
WeIPCANNOT
Collect network traffic prevent
as it entersall bad
or exits thingsA
interfaces.
network administrator can determine the source and
from happening,
destination so wedata
of traffic, class of service, MUST be
types, etc.
ableanalysis
Packet to detect and
(pcap) respond.
Captures details about communications and the data itself.
Known bad traffic (block list)
C2 traffic, known malicious sites, etc. This one is big for IoCs.
Network device log files
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 90
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Intrusion Detection and Prevention
• Detection detects (passive), Prevention prevents (active)
• Network-based and host-based.
• NIDS – network-based intrusion detection.
• NIPS – network-based intrusion prevention.
• HIDS – host-based intrusion detection.
• HIPS – host-based intrusion prevention.
• Best used at crucial network chokepoints, such as the
between the demilitarized zone (DMZ) and internal
networks or between a VPN terminator and an internal
network.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 91
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Intrusion Detection and Prevention
• Detection detects (passive), Prevention prevents (active)
• False positives
Network-based and false negatives
and host-based.
• must
NIDS be handled
– network-based carefully.
intrusion detection.Called
• NIPS – network-based intrusion prevention.
“tuning”.
• HIDS – host-based intrusion detection.
• HIPS – host-based intrusion prevention.
• Best used at crucial network chokepoints, such as the
between the demilitarized zone (DMZ) and internal
networks or between a VPN terminator and an internal
network.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 92
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Security Information and Event Management
(SIEM)
• Centralization – centralizing log files keeps them organized
and protects them.
• Normalization – logs from different systems come in
different formats, a standardized format must be used for
correlation and comparison.
• Correlation and detection – incidents often span systems, so
logs/activities must be correlated for detection.
• Alerting – Specific events and/or incidents can be
configured to alert administrators.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 93
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Security Information and Event Management
(SIEM)
IMPORTANT:
• Centralization – centralizing log files keeps them organized
and protects them.
• Garbage
• Normalization in/Garbage
– logs out come in
from different systems
• SIEM
different operates
formats, on rules,
a standardized so the
format must be used for
correlation and comparison.
rules must be set correctly.
• Correlation and detection – incidents often span systems, so
logs/activities must be correlated for detection.
• Alerting – Specific events and/or incidents can be
configured to alert administrators.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 94
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 96
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Continuous Monitoring
• Information Security Continuous Monitoring (ISCM).
• Steps to establish, implement, and maintain ISCM:
• Define an ISCM strategy;
• Establish an ISCM program;
• Implement an ISCM program;
• Analyze data and Report findings;
• Respond to findings; and
• Review and Update the ISCM strategy and program.
• A robust ISCM program thus enables organizations to move
from compliance-driven risk management to data-driven
risk management

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 97
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 98
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Egress Monitoring
• Firewalls (and other filtering devices) should not only be
configured for ingress (inbound) traffic control and
monitoring, but also egress (outbound).
• This identifies potential data exfiltration and C2C traffic.
• Data Loss Prevention (DLP) is largely built on the premise of
egress filtering.
• DLP can also filter/alert on specific data patterns; XXX-XX-
XXXX, XXXX XXXX XXXX XXXX, etc.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 99
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management
• Log strategy is critical.
• Why are we logging?
• What should we be logging?
• Where should we be logging?
• What should trigger alerts and response?
• Etc., Etc., Etc.
• CIS Benchmarks, DoD STIGs, manufacturer documentation,
and specific standards can/should be all be leveraged.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 100
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management - Define Auditable Events and
Thresholds
• Log settings are/should be continually tuned.
• Important events to consider logging:
• Successful and unsuccessful access attempts like system logins, file
or data access, and application access
• Changes to user permissions, especially escalation like using sudo or
other admin privileges
• Changes to or disabling security tools and settings like DLP
• Copy or export of sensitive files
• Sensitive data transactions performed in applications

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 101
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management - Define Auditable Events and
Thresholds
• Important data to collect about the events:
• User or process IDs
• Timestamps, ideally in a standardized format like UTC or
in a standardize time zone used by the whole
organization
• Device identifiers, hostname, IP address, or similar Name
of object(s) accessed, like filename or function
• Policy identifiers that triggered the log event, such as a
failed login, admin privilege use, or file deletion

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 102
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Log Management - Define Auditable Events and
Thresholds
DON’Tdata
• Important forget toabout
to collect protect the log
the events:
• User or process IDs
•data, maintain
Timestamps, itain
ideally in compliance
standardized format like UTC or
with data retention
in a standardize time zone usedrequirements,
by the whole
organization
•clipping levels,hostname,
Device identifiers, etc. IP address, or similar Name
of object(s) accessed, like filename or function
• Policy identifiers that triggered the log event, such as a
failed login, admin privilege use, or file deletion

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 103
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence
Wikipedia has a good definition:
Cyber threat intelligence (CTI) is knowledge, skills and experience-based
information concerning the occurrence and assessment of both cyber
and physical threats and threat actors that is intended to help mitigate
potential attacks and harmful events occurring in cyberspace. Cyber
threat intelligence sources include open-source intelligence, social
media intelligence, human Intelligence, technical intelligence, device
log files, forensically acquired data or intelligence from the internet
traffic and data derived for the deep and dark web.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 104
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Feeds
• Information about threats learned about from various
sources according to industry, physical region, etc.
• Data can be used for threat hunting (looking for the specific
threat in an environment), integration into other tools like
DLP, SIEM, and SOAR.
• Commercially available (free and paid for) threat feeds and
several government-sponsored ones (mostly CISA in the
United States and the Canadian Centre for Cyber Security.
• Industry-specific groups known as information sharing and
analysis centers (ISACs) also offer threat information to their
members.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 105
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 106
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Hunting
• Seeking threats/threat actors in an environment, based upon
known and unknown threats.
• Human analysts and/or software agents.
• Within an organization, can be strategic, tactical or
operational.
• Outside of an organization, often done as part of security
research, where a community of researchers share work and
findings in the spirit of making everyone more secure.
• Details can be shared in social forums (blogs, conference
talks, Twitter, etc.) and information like IoCs are integrated
with security tools.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 107
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
Threat Intelligence - Threat Hunting
Dark Web/Deep Web
Dark web – Content on non-publicly accessible networks
requiring the use of special access methods like the Tor
network.

Deep web - Content accessible over the internet but not

publicly exposed, such as online banking information, private
social media feeds, and even content behind paywalls like
news sites.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 108
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT LOGGING AND MONITORING ACTIVITIES
User and Entity Behavior Analytics (UEBA)
Extends on an early type of cybersecurity practice – User
Behavior Analytics, or UBA – which uses machine learning and
deep learning to model the behavior of users on corporate
networks and highlights anonymous behavior that could be
the sign of a cyberattack.

Activities that deviate from expected activities (or baseline) are

flagged as suspicious and can be used as an input to other
security tools.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 109
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
User and Entity Behavior Analytics (UEBA)
Extends on an early type of cybersecurity practice – User
Behavior Analytics, or UBA – which uses machine learning and
deep learning to model the behavior of users on corporate
networks and highlights anonymous behavior that could be
the sign of a cyberattack.

Activities that deviate from expected activities (or baseline) are

flagged as suspicious and can be used as an input to other
security tools.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 110
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
The Theory:
• Start with a secure configuration, make only authorized and
secure changes, then the asset is maintained in a secure
state.
• Items under CM are called Configuration Items (CIs).
• CIs can be systems, endpoints, applications, etc.
• The “secure configuration” of a CI is called a baseline.
• Changes to the baseline must follow a formal change
management process.
CI sounds sexier than “Asset”?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 111
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 112
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 113
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
• Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 114
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 115
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 116
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

PERFORM CONFIGURATION MANAGEMENT
Insecure
Also configurations
referred to as “CM” are a VERY
common
Roles cause of
and responsibilities, vulnerabilities
how and
CM will work, etc. should
documented in a Configuration Management Plan.
be

incidents.– setup
Provisioning Useand automation
deployment of where
the secure
possible. (baseline).
configuration
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Maintain
Benchmarks,theand/or
secure configuration
vendor-supplied configuration
information.
through strict change management.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 117
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Also referred to as “CM”
Roles and responsibilities, how CM will work, etc. should be
documented in a Configuration Management Plan.
Provisioning – setup and deployment of the secure
configuration (baseline).
• The CI must be entered into the asset inventory.
• Baseline, standard baselines include DISA STIGs, CIS
Benchmarks, and/or vendor-supplied configuration
information.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 118
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Need-to-Know/Least Privilege
Need-to-know and least privilege are often used
interchangeably, but they are different,
• Need-to-know is data-driven. Does a person/subject need to
know the information? Regardless of whether the
person/subject has privileges.
• Least privilege is system-driven. Does the person/subject
need this level of access to perform an authorized job
function? Also called “minimum necessary access”.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 119
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Separation of Duties and Responsibilities (SoD)
Limits the potential for misuse of resources or malicious
activities by separating process steps among multiple
personnel.
The person requesting access must not be the same one
authorizing access and/or granting access.
• Dual control - A process that uses two or more separate
entities (usually persons) operating in concert to protect
sensitive functions or information.
• Two-person integrity - no single person can access an
asset like a file or piece of equipment without another
authorized individual present.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 120
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 121
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Privileged Account Management (PAM)
• Privileges, often called permissions, are the abilities a user is
granted on a system.
• Privileged accounts (those with “elevate” privileges) require
additional rigor during the access management lifecycle,
such as more frequent reviews, MFA, limited use, etc..
• Provisioning, Use, Review, and Deprovisioning requirements
must all be considered.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 122
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Job Rotation
• Two primary benefits
• Cross-training which improves operational resilience.
• Limits/mitigates internal fraud (and related)
• Personnel are less-likely to engage when they know
they rotate and
• Fraud is more likely to be detected.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 123
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS
Service-Level Agreements
• Defines the level of service expected from a third party:
• The metrics by which service is measured,
• Remedies or penalties should agreed-on service levels not
be achieved
• It is a critical component of any technology vendor contract.
• A mutual agreement of service level requirements (SLRs) is
an SLA, which codifies the shared understanding of SLRs.
• SLAs should be monitored continually and should be part of
third-party information security risk management.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 124
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 125
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Media Management
• Physical and electronic; paper, hard drives, devices, etc.
• ALL data should be classified as part of data management
practices.
• Labeling and Marking is driven from data classification
requirements, using the highest classification on the media.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 126
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

https://frsecure.com/information-classification-policy-
template/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 127
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

https://frsecure.com/information-classification-policy-
template/

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 128
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Handling
• The labeling and marking communicates to the asset holder
what the protection requirements are (based upon the
classification).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 129
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Handling
• The labeling and marking communicates to the asset holder
what the protection requirements are (based upon the
classification).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 130
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

APPLY RESOURCE PROTECTION
Media Protection Techniques
Physical compromise is total compromise. RoT
Transporting Media
Encryption, hashing, and physical protections should all be
considered. Physical protections should also include
environmental controls.
Sanitization and Disposal
• Previously covered. Full disk encryption (FDE) is a
mitigating control.
• Data must be securely overwritten and/or destroyed.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 131
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 132
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
First, you MUST define what an “incident” is.

An event is something that happened.

An incident is something that happened an event

with a negative consequence.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 133
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 134
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 135
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (andNOTintogated.
the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 136
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 137
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 138
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 139
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 140
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 141
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 142
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 143
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 144
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 145
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
https://frsecure.com/incident-response-log-template/
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 146
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN
Let me know if you want a copy of this…
DOMAIN 7 – SECURITY OPERATIONS
CONDUCT INCIDENT MANAGEMENT
Incident Management Plan
Contains how the organization will manage an incident from
beginning to end (and into the next).
The book, “tools, resources, and processes needed to identify,
categorize, and remediate the impact of incidents.”
Plenty of standards to draw from:
• ITIL framework incident management processes
• NIST Special Publication 800-61, “Computer Security Incident Handling
Guide”
• ISO 27035, “Security incident management”
https://frsecure.com/incident-response-log-template/
• European Network and Information Security Agency (ENISA), “CSIRT Setting
Up Guide”
• ISACA, “Incident Management and Response”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 147
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response Testing and Exercise
Testing is mandatory.
Excellent training opportunities.
Improves response.
Can be used to integrate with other plans.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 148
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response - Reporting
Two messages, one internal and the other external.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 149
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response - Reporting
Two messages, one internal and the other external.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 150
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

CONDUCT INCIDENT MANAGEMENT
Incident Response - Reporting
Two messages, one internal and the other external.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 151
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 152
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Defense-in-depth where controls are layered to serve both
preventative and detective functions.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 153
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Defense-in-depth where controls are layered to serve both
preventative and detective functions.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 154
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES
Defense-in-depth where controls are layered to serve both
https://nsacyber.github.io/publications.html
preventative and detective functions.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 155
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Firewalls (review)
• Static packet inspection (stateless)
• Stateful packet inspection
• Web application firewall (WAF) and API gateway -
Specialized network access control devices designed to
handle specific types of traffic, unlike a generic firewall that
handles all network traffic. WAFs and API gateways analyze
traffic destined specifically for a web application or an
application's API.
• Host-based firewalls - These are installed on a specific
endpoint and use a ruleset specific to that endpoint.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 156
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Firewalls (review)
• Next-generation firewalls (NGFW) - These are more of a
marketing term than a unique type of firewall. Combines
network security services into a single device/system. Lower
overhead and cost (maybe), but higher complexity in a single
device (point of failure).
• Security groups: These exist in software defined networks
(SDNs) and cloud environments and serve many of the same
functions as a firewall.
Firewalls, security groups, and microsegmentation are useful
access control devices in a zero-trust network architecture,
where no part of the network is implicitly trusted.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 157
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Intrusion Detection Systems and Intrusion

Prevention Systems
Nothing new to cover here.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 158
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Intrusion Detection Systems and Intrusion

Prevention Systems
Nothing new to cover here.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 159
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Whitelisting/Blacklisting
Mostly changed to allowlisting and blocklisting.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 160
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Third-Party-Provided Security Services

• Pros and Cons
Common services:
• Security Operations Center (SOC): Full or partial SOC
outsourcing can be useful to deal with the cost and
complexity of building and running a 24x7 SOC operation.
• Digital Forensics and Incident Response (DFIR): look for
orgs without bias.
• Threat intelligence: can provide useful information about
threats that could target the organization and are often
industry- or technology-specific.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 161
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Sandboxing
• Run code, observe and analyze and code in a safe, isolated environment
on a network that mimics end-user operating environments.
• Designed to prevent threats from getting on the network and is
frequently used to inspect untested or untrusted code.
Honeypots/Honeynets
• Network-attached system as a decoy to lure cyber attackers.
• Used to detect, deflect and study hacking attempts to gain unauthorized
access to information systems.
• A honeynet is a collection of honeypots.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 162
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Be careful
Sandboxing with honeypots, entrapment
•versus enticement.
Run code, observe and analyze and code in a safe, isolated environment
on a network that mimics end-user operating environments.
• Designed to prevent threats from getting on the network and is
frequently used to inspect untested or untrusted code.
Honeypots/Honeynets
• Network-attached system as a decoy to lure cyber attackers.
• Used to detect, deflect and study hacking attempts to gain unauthorized
access to information systems.
• A honeynet is a collection of honeypots.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 163
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 164
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT
Five crazy facts on exactly how much time is spent on
debugging and code fixing in the software industry:
1. On average, a developer creates 70 bugs per 1000 lines of code (!)
2. 15 bugs per 1,000 lines of code find their way to the customers
3. Fixing a bug takes 30 times longer than writing a line of code
4. 75% of a developer’s time is spent on debugging (1500 hours a year!)
5. In the US alone, $113B is spent annually on identifying & fixing product
defects

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 165
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

Windows 10, 50MM LOC, 75,000 Bugs?!

The average car, according to KPMG, has over 150
Million lines of code in it.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 166
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT
Patch Management
A generic security patch process incorporating all stakeholders must
include the following:
Vulnerability detection – Scanning, researcher, user reporting a bug, etc.
Patch publication - By the vendor or development team, once the
vulnerability is verified and relevant code is written to address it.
Evaluation - Patch applicability by each organization's administrative
personnel to determine if the patch is needed in each environment.
Testing - Ensure the patch won’t introduce problems.
Apply and Track - Ensure the patch doesn’t have a negative impact on
functionality.
Rollback - If issues are encountered.
Documentation - Of the system including the patch, which becomes the
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 167
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES
This is where we’ll stop for the night…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 168
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION TEN

DOMAIN 7 – SECURITY OPERATIONS

UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES
This is where we’ll stop for the night…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 169
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TEB

SESSION TEN – POR FIN!

Homework:
• Catchup in you reading. You should be through (or at
least beginning) Domain 7 soon.
• Take practice tests.
• Review at least two of the references we provided in this
class (download for later use).
• Post at least one question/answer in the Slack Channel.

See you Monday!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 170
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2022
Class #10 – Domain 7
Evan Francen
Evan Francen – FRSecure and SecurityStudio Co-Founder & CEO

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1

How To Think Like A Manager For The Cissp Exam
100% (5)
How To Think Like A Manager For The Cissp Exam
134 pages
CISSP Exam Prep Questions, Answers & Explanations
100% (21)
CISSP Exam Prep Questions, Answers & Explanations
564 pages
How To Think Like A Manager For The CISSP Exam
100% (3)
How To Think Like A Manager For The CISSP Exam
169 pages
How To Think Like A Manager For The CISSP Exam
100% (2)
How To Think Like A Manager For The CISSP Exam
158 pages
CISSP SelfPaced MasterClass
0% (2)
CISSP SelfPaced MasterClass
20 pages
Dokumen - Pub How To Think Like A Manager For The Cissp Exam
No ratings yet
Dokumen - Pub How To Think Like A Manager For The Cissp Exam
169 pages
How To Think Like A Manager For The CISSP Exam by Ahmed, Luke
No ratings yet
How To Think Like A Manager For The CISSP Exam by Ahmed, Luke
160 pages
CISSP Exam Outline April 2024 English
No ratings yet
CISSP Exam Outline April 2024 English
15 pages
The Effective Cissp Practice Questions
50% (2)
The Effective Cissp Practice Questions
218 pages
Private Complaint Under S 200 CR P C
No ratings yet
Private Complaint Under S 200 CR P C
2 pages
9803 Cissp Slides
86% (7)
9803 Cissp Slides
545 pages
CISSP Domain 1
No ratings yet
CISSP Domain 1
142 pages
Session 3_ 2024 FRSecure CISSP Mentor Program
No ratings yet
Session 3_ 2024 FRSecure CISSP Mentor Program
152 pages
DwHtW27bTPaulm4pK2cG_2024 FRSecure CISSP Mentor Program - Class 4 Pt. 2
No ratings yet
DwHtW27bTPaulm4pK2cG_2024 FRSecure CISSP Mentor Program - Class 4 Pt. 2
88 pages
JrqpOQnGQD2xE6jIJAZV_2024 CISSP Mentor Program - Class 5
No ratings yet
JrqpOQnGQD2xE6jIJAZV_2024 CISSP Mentor Program - Class 5
123 pages
ZjEUg8QJQmWLR4SU1JZM_2024 FRSecure CISSP Mentor Program - Class 4 Pt. 1
No ratings yet
ZjEUg8QJQmWLR4SU1JZM_2024 FRSecure CISSP Mentor Program - Class 4 Pt. 1
243 pages
2022 CISSP Mentor Program - Class Three
No ratings yet
2022 CISSP Mentor Program - Class Three
103 pages
Session 2_ 2024 FRSecure CISSP Mentor Program
No ratings yet
Session 2_ 2024 FRSecure CISSP Mentor Program
117 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Four
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Four
122 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Eleven
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Eleven
216 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Two
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Two
211 pages
2023 FRSecure CISSP Mentor Program - Class Two
No ratings yet
2023 FRSecure CISSP Mentor Program - Class Two
222 pages
985YslWAQEughLycwyGw_2024 FRSecure CISSP Mentor Program - Class Eight
No ratings yet
985YslWAQEughLycwyGw_2024 FRSecure CISSP Mentor Program - Class Eight
122 pages
0YgDVEpBQwy46ztPbVIB_2024 FRSecure CISSP Mentor Program - Class 7 Domain 4 Pt2
No ratings yet
0YgDVEpBQwy46ztPbVIB_2024 FRSecure CISSP Mentor Program - Class 7 Domain 4 Pt2
128 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Eight - Updated 5-12-2022
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Eight - Updated 5-12-2022
137 pages
Gghy5tyRkiJWps2QB2xQ_2024 FRSecure CISSP Mentor Program - Class 10
No ratings yet
Gghy5tyRkiJWps2QB2xQ_2024 FRSecure CISSP Mentor Program - Class 10
146 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Nine
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Nine
107 pages
XFug7KtBSUK36ZEStp0L_2024 FRSecure CISSP Mentor Program - Class Nine
No ratings yet
XFug7KtBSUK36ZEStp0L_2024 FRSecure CISSP Mentor Program - Class Nine
208 pages
Ce6UraczT7izVtSaHxFw_2024 FRSecure CISSP Mentor Program - Class Eleven
No ratings yet
Ce6UraczT7izVtSaHxFw_2024 FRSecure CISSP Mentor Program - Class Eleven
189 pages
Session 1_ 2024 FRSecure CISSP Mentor Program
No ratings yet
Session 1_ 2024 FRSecure CISSP Mentor Program
166 pages
2023 FRSecure CISSP Mentor Program - Class 1
No ratings yet
2023 FRSecure CISSP Mentor Program - Class 1
151 pages
ZPhrb7gWTNK4vrXZHBEu_2024 FRSecure CISSP Mentor Program - Class 6
No ratings yet
ZPhrb7gWTNK4vrXZHBEu_2024 FRSecure CISSP Mentor Program - Class 6
108 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Five
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Five
189 pages
Qgif9PcRuHJHQtVLvEAA_2024 FRSecure CISSP Mentor Program - Class 12
No ratings yet
Qgif9PcRuHJHQtVLvEAA_2024 FRSecure CISSP Mentor Program - Class 12
112 pages
FreeCourseWeb Com How To Think Like A Manager For The CISSP Exam
100% (1)
FreeCourseWeb Com How To Think Like A Manager For The CISSP Exam
169 pages
CISSP 20 Sample Questions
No ratings yet
CISSP 20 Sample Questions
16 pages
CISSP For Dummies: Chapter 1-3 Certification Basics
No ratings yet
CISSP For Dummies: Chapter 1-3 Certification Basics
38 pages
Week 2 CISSP Study Group
No ratings yet
Week 2 CISSP Study Group
75 pages
Top 10 Tips for the Cissp Exam
No ratings yet
Top 10 Tips for the Cissp Exam
25 pages
Ebook - Top 10 Tips - Cissp v1.0 (E)
No ratings yet
Ebook - Top 10 Tips - Cissp v1.0 (E)
25 pages
CISSP Preparation Steps
100% (1)
CISSP Preparation Steps
2 pages
CISSP End Game
100% (5)
CISSP End Game
80 pages
Sans mgt414 1 Course Book
No ratings yet
Sans mgt414 1 Course Book
147 pages
Module 11: Security Testing and Assessment
No ratings yet
Module 11: Security Testing and Assessment
8 pages
CISSPNOTE
No ratings yet
CISSPNOTE
13 pages
Cissp Issmp
No ratings yet
Cissp Issmp
106 pages
Module 0: Course Introduction Cheat Sheet: Lesson 1: About The CISSP
No ratings yet
Module 0: Course Introduction Cheat Sheet: Lesson 1: About The CISSP
1 page
CISSP Exam Guide CISSP Certified Information Systems Security Professional Official Practice Tests With Exam Strategies (Roberts, Walter A.) (Z-Library)
No ratings yet
CISSP Exam Guide CISSP Certified Information Systems Security Professional Official Practice Tests With Exam Strategies (Roberts, Walter A.) (Z-Library)
79 pages
The Memory Palace - A Quick Refresher For Your CISSP Exam
No ratings yet
The Memory Palace - A Quick Refresher For Your CISSP Exam
127 pages
Day 11711726136363
No ratings yet
Day 11711726136363
24 pages
2021 CISSP Practice Exam - FREE 20 Questions and Answers
No ratings yet
2021 CISSP Practice Exam - FREE 20 Questions and Answers
27 pages
CISSP A Comprehensive Beginner's Guide To Learn and Understand The Realms of CISSP From A-Z
0% (1)
CISSP A Comprehensive Beginner's Guide To Learn and Understand The Realms of CISSP From A-Z
164 pages
CISSP Exam Outline-V1115
No ratings yet
CISSP Exam Outline-V1115
16 pages
Cissp Information PDF
No ratings yet
Cissp Information PDF
4 pages
Chapter 5 Quiz
No ratings yet
Chapter 5 Quiz
7 pages
CISSP
100% (2)
CISSP
129 pages
DevOps Foundation Courseware - English
From Everand
DevOps Foundation Courseware - English
Oleg Skrynnik
No ratings yet
DevOps Master Courseware
From Everand
DevOps Master Courseware
Alejandro Pestchanker
No ratings yet
M_o_R® Management of Risk Practitioner Courseware – English
From Everand
M_o_R® Management of Risk Practitioner Courseware – English
Douwe Brolsma
No ratings yet
P3O® Foundation Portfolio, Programme and Project Offices Courseware – English
From Everand
P3O® Foundation Portfolio, Programme and Project Offices Courseware – English
Henny Portman
No ratings yet
Efficient Content Creation: Expert Authority Builder
From Everand
Efficient Content Creation: Expert Authority Builder
Alastair McDermott
5/5 (2)
CISM+Domain+1+-+Study+Notes+-+CYVITRIX+LEARNING+-+2025
No ratings yet
CISM+Domain+1+-+Study+Notes+-+CYVITRIX+LEARNING+-+2025
108 pages
Do-You-Have-What-it-Takes-to-Lead-In-cybersecurity-eBook-RB
No ratings yet
Do-You-Have-What-it-Takes-to-Lead-In-cybersecurity-eBook-RB
15 pages
Test Your CGRC Knowledge _ ISC2 Practice Quiz
No ratings yet
Test Your CGRC Knowledge _ ISC2 Practice Quiz
4 pages
CGRC Ultimate Guide RB
No ratings yet
CGRC Ultimate Guide RB
15 pages
Compendium Training 5926 Isc2 Cgrc Certification Prep Course
No ratings yet
Compendium Training 5926 Isc2 Cgrc Certification Prep Course
7 pages
Fundamentals of OT ICS Security Course Content
No ratings yet
Fundamentals of OT ICS Security Course Content
8 pages
ISO-IEC 27002_2022 Part 2
No ratings yet
ISO-IEC 27002_2022 Part 2
53 pages
??? ?? ??? ?? ??????? ?????? ????? ?? ??????? ??????
No ratings yet
??? ?? ??? ?? ??????? ?????? ????? ?? ??????? ??????
8 pages
Basic+Security+Terminologies+Security+Foundations Cyvitrix
No ratings yet
Basic+Security+Terminologies+Security+Foundations Cyvitrix
4 pages
Types of Firewalls
No ratings yet
Types of Firewalls
11 pages
The+Security+Objective+&+CIA+Triad Cyvitrix (1)
No ratings yet
The+Security+Objective+&+CIA+Triad Cyvitrix (1)
3 pages
Bug+Bounty+Programs Cyvitrix
No ratings yet
Bug+Bounty+Programs Cyvitrix
3 pages
Cyber+Security+Information+Security+&+Information+Assurance Cyvitrix
No ratings yet
Cyber+Security+Information+Security+&+Information+Assurance Cyvitrix
4 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Six
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Six
202 pages
CISCO - Secure Endpoint User Guide
No ratings yet
CISCO - Secure Endpoint User Guide
258 pages
VAPT Guide For Penetration Testers - 2023
No ratings yet
VAPT Guide For Penetration Testers - 2023
39 pages
DNS Filtering Solutions
No ratings yet
DNS Filtering Solutions
15 pages
Awesome Cloud Security
100% (1)
Awesome Cloud Security
7 pages
100 Best Ethical Hacking Tools - 2023 (New List)
100% (1)
100 Best Ethical Hacking Tools - 2023 (New List)
28 pages
Rise of Nazism
100% (2)
Rise of Nazism
92 pages
03-26-12 Montgomery County VA Jail Booking Info (Photos)
No ratings yet
03-26-12 Montgomery County VA Jail Booking Info (Photos)
24 pages
The Monkey and The Crocodile: A Friend in Need Is A Friend Indeed
100% (1)
The Monkey and The Crocodile: A Friend in Need Is A Friend Indeed
9 pages
4345 Claim Form
No ratings yet
4345 Claim Form
1 page
Amgen Inc. v. F. Hoffmann-LaRoche LTD Et Al - Document No. 1172
No ratings yet
Amgen Inc. v. F. Hoffmann-LaRoche LTD Et Al - Document No. 1172
4 pages
The Present Criminal Penalty System of T
No ratings yet
The Present Criminal Penalty System of T
122 pages
TJ Lane Appeals Court Ruling
No ratings yet
TJ Lane Appeals Court Ruling
36 pages
Ambassador Hotel Inc. Vs SSS
100% (6)
Ambassador Hotel Inc. Vs SSS
2 pages
Sources of Information Collection Plan
No ratings yet
Sources of Information Collection Plan
15 pages
Moot Proposition - 1st Nyaya Shastra Virtual Moot Court Competition
No ratings yet
Moot Proposition - 1st Nyaya Shastra Virtual Moot Court Competition
3 pages
On Thi HSG 300 Cau Viet Lai Thanh Ngu KEYS
100% (1)
On Thi HSG 300 Cau Viet Lai Thanh Ngu KEYS
11 pages
BGEE Unofficial Manual v.1.1.4
No ratings yet
BGEE Unofficial Manual v.1.1.4
171 pages
The Presidio Satanic Ritual Abuse Events
0% (1)
The Presidio Satanic Ritual Abuse Events
7 pages
Complete Download Women Crime And The Courts In Early Modern England 1st Edition J. Kermode PDF All Chapters
100% (1)
Complete Download Women Crime And The Courts In Early Modern England 1st Edition J. Kermode PDF All Chapters
77 pages
A Series of Actions or Steps Taken in Order To Achieve A Particular End
No ratings yet
A Series of Actions or Steps Taken in Order To Achieve A Particular End
2 pages
Doctrine of Jus Necessitatis - Section 81 of IPC
No ratings yet
Doctrine of Jus Necessitatis - Section 81 of IPC
4 pages
Transcript of Confidential Proceedings Held in Chambers Unsealed by Court Order
No ratings yet
Transcript of Confidential Proceedings Held in Chambers Unsealed by Court Order
7 pages
(PC) Weaver v. California Correctional Institution Confinement Shu - Document No. 3
No ratings yet
(PC) Weaver v. California Correctional Institution Confinement Shu - Document No. 3
2 pages
NCSC One Page OpSec Guide
No ratings yet
NCSC One Page OpSec Guide
1 page
Tutorial 2 - FTK WinHex - Hashing
No ratings yet
Tutorial 2 - FTK WinHex - Hashing
6 pages
Laurel V Abrogar
100% (1)
Laurel V Abrogar
7 pages
2019 Mark Scheme PDF
No ratings yet
2019 Mark Scheme PDF
18 pages
Consuls
No ratings yet
Consuls
3 pages
dokumen.tips_eqbal-ahmad-feudal-culture-and-violence
No ratings yet
dokumen.tips_eqbal-ahmad-feudal-culture-and-violence
3 pages
Crimes of Carnergie
No ratings yet
Crimes of Carnergie
2 pages
PixAlert PCI DSS White Paper June2010
No ratings yet
PixAlert PCI DSS White Paper June2010
24 pages
McKesson Record $150M Settlement
No ratings yet
McKesson Record $150M Settlement
2 pages
Alabama Prison Hair Cuts
No ratings yet
Alabama Prison Hair Cuts
27 pages