CISSP Domain 7 Study Guide

CISSP Domain 7 – Security Operations covers a variety of investigative concepts, including evidence collection and processing, documentation and reporting, investigative techniques, and digital forensics.

Key technologies used in security operations include firewalls, intrusion prevention systems, application whitelisting, antivirus software, honeypots, and sandboxing to help manage third-party security contracts and services, patching, vulnerability, and change management processes.

The goal is to understand security operations so that incident response and recovery, disaster recovery, and business continuity are most effective. Here are some important concepts you need to know in CISSP Domain 7.

Important concepts of security operations

There are four different types of investigation.

  1. Administrative:
    • Lower burden of proof.
    • Held within the organization.
    • Violation of organizational policy.
  2. Criminal.
    • The evidence must be beyond a reasonable doubt.
    • Criminal prosecution under criminal law.
  3. Civil:
    • Preponderance of the evidence.
    • Between private entities.
    • Determines whether the entity is liable or not.
  4. Adjuster.
    • Preponderance of the evidence.
    • Can be criminal or civil.
    • Determines whether the organization is in compliance with the regulation.
  • Need to know and minimum privilege
    • Access must be granted on a need-to-know basis. The principle of least privilege means giving users the least privileges necessary to perform their work tasks. Access is granted only when special privilege is deemed necessary. It is good practice and almost always recommended to follow.
      • Aggregation – Combining multiple items into a single entity is often used in role-based access control.
      • Transit trust – From a Microsoft Active Directory perspective, the root or parent domain automatically trusts all child domains. Because of transitivity, all child domains also trust each other. Transience makes it easier to have confidence. But it is important to be careful. In a high security environment, it is not uncommon to see non-passive trusts being used depending on the configuration and requirements.
  • Segregation of Duties and Responsibilities
    • Segregation of duties refers to the process of separating certain tasks and activities so that one person does not control everything. Administration is important as each person will only have administrative access to their area.
    • The purpose of segregation of duties is to make it more difficult to harm the organization through destructive activities or data loss, for example. With segregation of duties, it is often necessary to have two or more people working together (collusting) to harm the organization.
    • Segregation of duties is not always practical, however, especially in a small environment. In such cases, you can rely on compensable controls or an external audit to minimize risk.
  • Privileged account management
    • A special privilege is a right that is not normally given to people. Actions taken using special privileges must be carefully monitored.
    • For high security environments, you should consider a monitoring solution that offers screen capture or screen recording in addition to text logging.
  • Job rotation
    • Job rotation is the act of moving people between jobs or responsibilities. The purpose of job rotation is to reduce the duration of one person in a particular job or within a particular set of responsibilities for too long.
    • This minimizes the chance of errors or malicious activity going unnoticed. Job rotation can also be used to train team members to minimize the impact of unexpected leave.

Information life cycle

The life cycle of information consists of the following stages:

  • Collect data – data is collected from automated sources and when users generate data such as creating a new table.
  • Use the data – users read, edit and share data.
  • Save data (optional) – data is archived for the time required by the company’s data retention policy.
  • Legal Hold (Incidental) – legal retention requires you to keep one or more copies of specific data in an unaltered form during a legal scenario, audit or government investigation. Legitimate storage is often narrow and in most cases invisible to users and administrators who are not involved in placing the storage.
  • Delete data – The default delete action on most operating systems is not secure. The data is simply marked as deleted, but is still stored until overwritten. In order to have an efficient information life cycle, you should use secure deletion methods such as disk wiping, scavenging, and physical destruction.

Service Level Agreements (SLAs)

An SLA is an agreement between a supplier (which may simply be another department in the organization) and the business that defines when the service provided by the department is acceptable.

You will most likely come across this as a reliable service provider in 9. This is basically an availability or coverage threshold. The main focus is on high availability and website flexibility. Sometimes there may be financial penalties for not meeting SLA requirements.

Compliance with detective and preventive measures

  • Type 1 hypervisors VMs are hypervisors where the OS is installed directly on the barebones machine. These hypervisors often perform better.
  • Type 2 hypervisors Are apps installed on the OS. They are called hosted hypervisors. These hypervisors are often slower than Type 1 hypervisors because the OS must translate each call.
  • Tripwire: It’s HIDS.
  • NIPS: similar to IDS but it is placed on the network. It can modify network packets or block attacks.
  • IACIS: is a non-profit organization of digital forensics professionals. It CFCE: the credential was the first certification to demonstrate competency in computer forensics related to Windows-based computers.
  • CFTT: A project established by NIST to test and certify forensic equipment.
  • Software Escrow Agreement allows the customer access to the source code of the software when the vendor ceases support or is out of business.

Detective and preventive measures


Operating firewalls involves more than modifying rules and reviewing logs. You should also review the configuration change log to see which configuration settings have changed recently.

Intrusion detection and prevention systems

You should regularly evaluate the effectiveness of your IDS and IPS systems. This is not a throwaway security solution. The alert function needs to be reviewed and fine-tuned. Too many false positive alerts and dangerous false negatives will hinder detection and ultimately response.

Whitelist and blacklist

Whitelisted is the process of marking bids allowed, while blacklisted is the process of marking applications as prohibited. The maintenance of these lists can be automatic and can be built into other security software.

Security services provided by third parties

Some vendors offer security services that absorb logs from your environment. This handles detection and response, using artificial intelligence or a large network operations center to sort through the noise. Other services perform assessments, audits or forensics. There are other third-party security services that offer code review, recovery, or reporting.

Open source intelligence is the collection of information from any publicly available resource. This includes websites, social networks, discussion forums, file services, public databases and other online sources. This also includes non-Internet sources such as libraries and periodicals. In addition to being publicly available, third parties may provide services to include this information in their security offerings.


Sandboxing is a technique that isolates software, computers, and networks from the rest of your environment. Sandboxes help minimize damage to the production network. Unfortunately, because sandboxes are not under the same surveillance as the rest of the environment, they are often more vulnerable to attack. Sandboxes are also often used for this honeycombs and: honey nets.

Honeypots and Honeynets

A honeypot or honeynet is a computer or network that is deliberately used to lure bad actors into logging actions and commands. If you don’t know if something might be at risk, this is a great way to see some of the methods being used so you can better protect your environment. There are important and accepted uses, but don’t expect all unauthorized access to be malicious in nature.

Interestingly, honey pots and beehives can be seen as unethical because of the similarities. trapped. It’s undeniable, though, that security-conscious organizations can still benefit from the information gleaned from their usage.

Against malware

Anti-malware is a broad term that includes all tools to combat unwanted and malicious software, messages or traffic. Malware includes almost any code, application, software, or service that exists to deceive users or cause general harm. You should install antivirus software on every possible device, including servers, computers, and mobile devices. Make sure these materials are updated.

A Security Information and Event Management (SIEM) system performs the following functions:

  • Consolidation. collects security log information from multiple sources.
  • Normalization. Present the collected data in a meaningful, understandable way.
  • Ratio. Compare between different logs and provide an overall view of security status.
  • Report.

Penetration monitoring

Intrusion monitoring can be done using tools such as firewalls, IDS/IPS, SIEM, tap/Span. It monitors data originating outside the trusted network.

Outbound monitoring

Egress monitoring refers to data leaving a trusted network.

Data Leak Prevention (DLP) is a common tool used in leak monitoring. It compares the data that comes out of the organization against predefined rules.

Upon detection of a breach, DLP may do one of the following:

  • Only reminds the user that they are trying to send confidential information.
  • Asks the user for confirmation before continuing.
  • Terminates operation and informs management.

Source link