Select Page

key concepts and terminologies mentioned

CISSP

1. SAS 70

  • Outdated: SAS 70 was an auditing standard used to assess the controls at service organizations, but it was replaced in 2011 by standards based on ISAE 3402.

2. SOC Reports (Service Organization Control Reports)

  • Purpose: SOC reports are designed to provide information about the controls at a service organization, particularly those relevant to security, availability, processing integrity, confidentiality, and privacy.
  • Types:
    • SOC-1: Focuses on internal controls over financial reporting. It’s synonymous with SSAE 16.
    • SOC-2: Evaluates the design and operational effectiveness of controls related to security, integrity, privacy, and availability. This report is detailed and intended for business partners and auditors.
    • SOC-3: A more general report that can be shared with a broad audience, often used to publicly demonstrate an organization’s commitment to CIA (Confidentiality, Integrity, Availability). It may include a seal for the organization’s website.
  • Report Types:
    • Type 1: Assesses the design of controls at a specific point in time.
    • Type 2: Evaluates both the design and the operational effectiveness of controls over a period of time.

3. Passive Monitoring

  • Definition: Passive monitoring involves observing network traffic to identify issues after they have occurred since it relies on actual traffic data.

4. Log Management System

  • Challenges: Managing log data involves handling the volume of data, network bandwidth, ensuring data security, and the effort required for analysis. Having an insufficient number of log sources can limit the effectiveness of log management.

5. OPSEC Process (Operational Security)

  • Purpose: Involves understanding daily operations from the perspective of a competitor, enemy, or hacker and then developing and applying countermeasures to protect sensitive information.

6. Penetration Testing (Pen-Test)

  • Definition: Simulates attacks on a network to identify vulnerabilities as a hacker would. Management approval is essential before conducting a pen-test to ensure ethical and legal compliance.

7. Port Scanner

  • Definition: A tool that scans a range of ports on a computer or device to determine which ports are open, indicating possible entry points for attacks.

8. Ring Zero

  • Definition: Refers to the most privileged level of an operating system, where the core OS functions execute. Only trusted, low-level code runs in Ring Zero.

9. War Dialer

  • Definition: A tool that dials a range of phone numbers to find active modems, often used historically in hacking attempts, as depicted in the movie “Wargames.”

10. Superzapping

  • Definition: Refers to the use of a system utility or application that bypasses all access controls and logging to make changes directly to code or data. It poses significant security risks due to its ability to override all security measures.

11. Operational Assurance

  • Definition: Verification that a system operates according to its security requirements. Methods include design and development reviews, formal modeling, security architecture, and ISO 9000 quality techniques. Assurance refers to the confidence that security measures work as intended.

12. Piggybacking and Tailgating

  • Piggybacking: Occurs when an unauthorized person gains access to a secure area by following an authorized person through a door.
  • Tailgating: Involves an authorized person circumventing security controls, typically for convenience.

13. Supervisor Mode

  • Definition: Refers to processes that run in the inner, protected ring of an operating system, typically Ring Zero, with full access to system resources and critical functions.

These concepts are essential for understanding various aspects of information security, from auditing standards and report types to technical aspects like port scanning and operational security.

Latest Post:

Pin It on Pinterest