CISSP Preparation

hello friends uh so

welcome to this new series of cissp

so our ultimate aim for this particular

series is to understand the topics

and the concepts in those topics and

also

we need to understand about the

scenarios

it means the practical implementation of

these concepts which is discussed in the

cissp topics so this new series i am

preparing

preparing for the fast track cissp that

is a google classroom

and for this particular google classroom

some of the videos i am also putting

them in the public domain

so this particular video is for the

public domain that’s why i’m making it

live

so in this series i am going to cover

the concepts

and the related scenarios of those

topics given in as per the cbk of the

cissp

so to better understand the whole cissp

and we can say the concept of the topic

and its practicality

is the main theme of these particular

videos

so i can say if

uh it means we have total 63 topics in

this cissp whole

cissp these three topics if we are able

to cover three topics in a day

then we are able to roughly cover in 20

days

the whole cissp some of the topics are

very small so we can cover

uh more topics in some particular days

but

my try is to maximum cover three topics

in a particular day

so uh in this fast track series we will

cover the whole cissp in 20 days

with exam preparation also so every

video will be followed by

related set of questions uh suppose a

particular topic whatever we have

covered in the

video whether i’m going to make it live

or

whether i’m going going to give it you

on the classroom itself

so uh just after this particular video

you will get the

related questions related to that

particular topic so my suggestion is

watch the video then just attempt all

the questions and check out what exactly

your score

is then again go through the whole video

once more

and then again check out your uh

score in the on in that particular

questions right so by doing so you will

maximum

uh the understanding from your site will

be very

good and then you will get the you can

score maximum marks within a short time

duration so that is the ultimate aim

that’s why the name

is fast track it means on a fast track

we are going to cover everything

with practical implementation and

uh preparation for the exam the

understanding how exactly we are going

to use all these concepts

practically is more important here the

reason for the same is if you know the

practical implementation of all these

concepts which are covered in the cissp

exam

then it is very easy for you to

understand the senate scenarios which

they will give in the

exam because because in exam you will

not get any questions from any dumb

you will not get any questions related

to any particular previous questions

every time they are creating their own

scenarios they are creating new

questions

so that’s why if you are able to

understand the practical implementation

of each and every

concept which is they have given in the

cpk then it is very easy for you

to go through the whole cissp in a

single go right

okay so today in this particular live

video i am going to cover the very first

topic right

and then rest of the two topics will be

available in the google classroom

questions related to each topic will be

individually given in the google

classroom you can attempt the same in

the fast track google classroom not the

normal one that is the first track a

separate series i have created that’s

why i’m putting it here

so also all the ppt’s and other

resources which i am going to show

in this particular video will be

available on the google classroom

and as we are starting this series with

the domain

three that is the security architecture

and engineering third domain of cissp

so the first thing is we must understand

what exactly security architecture means

and what exactly security engineering

means

so this security architecture means

designing and organizing all the

components

processes services and controls which

are related to

security or which are related to the id

processes

and from where exactly these it

processes are coming from where exactly

these security requirements are coming

from it is also very important to

understand the same

and that’s what is the practical

implementation of the

concept so security architecture is a

concept right

and how to implement that particular

concept that is the practicality of that

particular

concept which we are going to understand

in this particular whole series

and security engineering is to implement

the

security architecture in reality so that

is our security engineering

so we can say this whole domain

uh of this third domain of cissp

it covers total 11 uh topics and all

these 11 topics

we are going to cover the very first

topic here in this video there’s two

topics

i will just give in the google classroom

fast track

google classroom so the first topic is

implement and manage

engineering processes using secure

design principles

as i already told you in my older videos

also it is very important for you to

understand

the whole topic so the topic here is

implement

and manage engineering processes using

secure design principle

and as a cyber security or information

security professional

it is very important for you to

understand what exactly these

engineering processes are

and what from where exactly these are

coming from then only you can say

to secure these engineering processes i

can do this this this

and now they are secure right so

this particular topic wants you to

understand the same it means

it wants you to understand how to

implement and manage the engineering

processes

it means you it wants you to understand

what exactly engineering processes

are using secure design principles so

the second concept which is covered in

this particular topic is

secure design principle so these are the

two things which we need to cover in

this particular

topic so we can say

whatever business we are going to our

organization going to do

in that particular business there is

there are some business requirements so

all these business requirements like

any particular company they want to open

an e-commerce portal so that particular

e-commerce portal

they it it have uh some requirements

right

it want a portal on which we can put the

ads

or we can put the products to sale so

all these are the business requirements

right

so this is a normal business requirement

so whenever

any particular business is going to

start it that particular business

will have some business requirement so

as per those business requirement we

will get the requirement of the

engineering processes

engineering processes are those

processes which will help us to

implement

all those business requirement or to

fulfill all those business requirement

so now whenever we are going to

i can say finalize the engineering

process then at that moment

itself we need to secure those

engineering process because

security when we start it from the very

basic level then it is very easy to

implement also it is

less costly in comparison to adding the

security later on

so whenever we are finalizing about all

these engineering processes then at that

moment itself we need to secure those

but how to secure those now to securely

implement these engineering processes

we must use some controls security

controls we can say

now these security controls we can take

out our take out

or we can just uh take from uh take all

these security controls from some

security control frameworks and we have

lots of security control framework

depending on the

environment of our company depending on

the

law of land we can select a particular

security control

or depending on the requirement also so

we can uh

select some security control framework

and

from that particular security control

framework we can say these are the

number of controls which

will be applicable or which we can use

in our environment

to secure it some of the security

control frameworks are like iso 27001

or we can say 27k complete then cis

that is also a very good source of all

the control frameworks

and then fips then uh cloud control

metrics ccm

then cisco security control framework so

these are some of the control frameworks

from where we can

take the controls right so

we can say once we have all these

security controls with us

now these security controls will finally

when we combine all these security

controls together then we will reach the

architecture final we can see the

security architecture

so we can see the security architecture

is the design

that describe how the security controls

or we can see the counter measures are

positioned

okay also it will tell us how they

relate to the overall

system architecture there will be a some

system architecture

which will also fulfill all those

requirements now this security

architecture

will be related to the system

architecture and also it will

tell us how and where to place the

security controls so that is what our

architecture

means now this architecture can be of

different types they can be high level

architecture low level architecture

network level architecture so these are

the different types of architectures

which are available

but whenever we are implementing any

particular architecture

we are going to make any particular

architecture

then these controls they serve the main

purpose here they maintain the system

quality

uh we can see the confidentiality

integrity and availability of the

complete

whole information or the systems within

that particular architecture

as a security professional we must

understand that the selection of

all the security controls should be

based on the secure design principles

now what is the secure design principles

so if we go a step further we can say

all the security controls are either

based on the security

design principles or they are going to

implement some of the design

secure design principle so that’s what

secure design principles means

so we started with the engineering

processes

now i think it is very clear to you what

exactly engineering processes means

and also it is clear to you

from where the secure design principles

are coming from

and by doing all these things by

properly

uh selecting the control by making a

proper architecture we can say

security is a core consideration in the

overall

implementation of the whole design so

finally we can say these principles will

help us in the creation of the systems

which are resilient to

attack but also they are easier to

manage and update so

three things are there whenever we are

going to implement any particular

environment three things are there

we need to make the whole uh environment

or the whole system

resilient also we need to make make it

very easy to manage

and update also we must must understand

that all these principles they require

some customization

as per the requirement of different

environment so

whenever you are going to implement any

particular

architecture or any particular framework

in your environment you can customize

those security controls as per the

requirement of your organization

we can take a example here like

the requirement of our e-commerce portal

is completely separate

that remote management requirement of

any power station or any nuclear power

plant so these are the two different

different uh

requirements but the principle the

secure design principles for

both both of them will remain the same

right

so for the cissp exam you need to

understand two sources

of these principles first one is the sns

so the first source is the sns paper

which is a

paper for the protection of information

in computer systems

and the second one is the iso standard

19 to 49

so this particular standard it is it is

a catalog of

architecture and design principle for

secure products systems and applications

moving further if we

go in depth in the s s paper we found

that there are total 10 principles

these 10 principles are economic of

mechanism

fail-safe default complete mediation

open design separation of privileges

list

privilege list common mechanism

psychological acceptability

work factor and compromise recording so

these 10

principles these are the 10

architectural level principles for

secure design

right so these 10 principles we are

using

maybe the name is different maybe in

different different because in different

different sources the name

is different but all these 10 principles

we are

using in all in our day to day

security activities let’s

go through each and every principle one

by one

okay before that let’s have a look on

the iso 19-49 also

in this we have five architectural level

principles and five design principles so

the architectural level principles are

domain separation layering encapsulation

redundancy and virtualization and the

five design principles are list

privilege

attack surface minimization centralized

parameter validation

centralized general security services

preparing for error and exceptional

handling

we are going to discuss the practicality

of this and we are going to see a

very live practical implementation of

all these principles

how exactly we can use them and how

exactly the government’s different

governments are using them

right so let’s move on to the very first

principle that is the economy of

mechanism

so this particular very first principle

of the sns paper that is the economy of

mechanism

it says make it simple and smaller

because it is very easy

if it is very simple then it is very

easy to understand

for the other persons also and whenever

any security professional want to test

it

want to access it want to design it

further or

want to redesign it then it is very much

easier for him to do the same

if it is smaller then also the overall

attack surface area will be less

right also it is very easy to understand

if it is smaller

so we can say the kiss principle keep it

simple stupid so that is a normal

case principle which we use in coding

also

also we use the same in different

environment so here also the principle

is same

we need to make the things simpler as

much as possible

so security kernel is a very good

example of the same so this is

not the exact scenario which we are

going to

take we we will take different scenarios

here right

so the next principle is fail safe

default if you are going to take about

fail safe default it means

if anything fails then that should be in

the block

state right so if any

uh in firewall also we have the deny all

rule in the last

the reason for the same is if there is

no rule which is applicable to that

particular traffic which is traveling

through that particular firewall then

in that particular case it should be

denied right so that is

a fail-safe default principle

and it means whenever you are going to

implement anything in security you

should ask a particular question which

is depend which totally depends on the

fail safe default

uh principle it’s uh it says ask why

should

we should give or provide access to this

particular resource to this particular

traffic

right so that is the question which we

should ask whenever we are going to

implement

security in any particular environment

right so then moving to the third

principle the third principle says

complete mediation

it means every access to every object

must be checked for authority and zero

trust is a part

perfect example on the same and even the

race condition canonization

all these are the examples where they

use the concept of

the principle the concept behind the

principle of complete mediation

so as per this principle this restrict

the caching of information and

whenever required we need to just to do

the whole

authentication authorization part again

so that’s the

complete so the next one is the open

design

in case of open design it says it should

be open

for scroll scrutiny by the whole

community

it means obscurity should not be there

right so whenever we design anything new

it should be available to the community

to test

to use and to further develop right if

you do

like that then there more people are

working on the same and

in that particular case we have much

more better stable system in a longer

run

so open so softwares are working on this

particular concept only

and even the encryption algorithm those

like aes

all these encryption they are not too

obscured they are not to

hidden kept hidden from the rest of the

globe they

are provided they it means the algo of

all these encryptions were provided to

the whole public so that they can work

on that and then they can just say that

these are the

uh loopholes which are there in this

particular

encryption algorithm right so that is

open design

then comes the separation of privilege

whenever we are talking about this

particular principle separation of

privilege then we can say

the dwell control or the separation of

duty in any particular environment

whether it is a data center in data

center we have different different teams

team for a particular purpose particular

persons are working in that particular

team for that particular

particular purpose only so that is

separation of privileges also

also in separation of privileges we can

say dual control it means us

same thing will be done will be divided

into two parts and one part will be done

by one person the other part will be

done by the other person right

so it requires two or more actions

actors or components to operate the

whole thing

so if any particular like doer and

checker is

also a very good example of separation

of privileges the whole

process is divided into two different

parts one is a doer who will do it

the other person will check and verify

the same so

we can say access to any object should

depend on

more than one condition being satisfied

that is the concept of separation of

privilege

next one is the list privilege so there

is a difference between

list privilege and separation of

privilege

in separation of privilege we are

dividing the whole process into multiple

parts but in list privilege we are not

dividing any process into multiple part

we can say

whenever anyone is going to have any

particular access that should start with

a minimum access

like the guest account whenever any

particular employee will

start working in any particular

organization they will start with a

guest account and then

this as as their position required they

will be provided that much of privileges

so we can say it should only have the

right necessary to complete

your task that is the concept of the

list privilege

and by default it should be lack of

access there should not be any access in

any particular environment

a very good example is the guest account

and the next one is the list common

mechanism so we can say the list common

mechanism

is to minimize the sharing of the

component between the user transitive

trust and internet are very good example

of list common mechanism

next one is the psychological

acceptability if we are going to make

anything

more difficult then most of the users

they are not going to accept the same

right

if you are going to make a password very

complex like 20

20 digits and then at the same time we

need to have five

uh alpha numeric characters five

numerals and five

special characters like that if you are

going to make a very complex password

then what exactly the user will do

they will write down that particular

password on some

piece of paper or somewhere in some soft

file so in that particular case what

exactly

we want to secure is by providing

a secure option for them to have a very

strong password but in

other way we are minimizing the security

of the overall organization because they

are writing down their password right

so this principle say that we should not

make the resource more difficult to

access than if the security mechanism

were not present right so try to make it

easy for the user or

they will definitely try to bypass the

same that is the concept for this

particular

principle of psychological acceptability

so the next principle says

the next principle that is the ninth

principle is the work factor so this

work factor is about the degree of

effort

required to compromise the security of

any particular control we can say

comparing the whole cost

of defeating security is the basic

concept behind this particular

principle if any particular encryption

like or any particular hash it is we

require

20 days as of now to correct any

particular hash or any particular

encryption algorithm

then maybe in coming future we do not

require that much of the effort so that

is the work factor behind that

right so that’s why if we are having a

very short password like

two three four digit and it is very

simple then using the brute force attack

it is very easy for the attacker

to brute force your password but if you

are using a strong password of i can say

a digit 10 digit 12 digit and that two

in a complex form

then they require a brute force which

require

much more time duration right and in

that particular case the

factor principle comes into account

and the last principle that is the

compromise recording

okay so the last principle is the

compromise recording yes it is not

possible to secure each and everything

right so in case anything uh

is compromised then we must be able to

record the same

we must be able to request or record the

compromise of the same

so that’s what the tenth principle that

is the compromise recording principle

says

so it says that record that a security

compromise has occurred

and also we can say it is kind of a

detective control

right like the assist law and the cctv

all these are

based on this particular tense principle

of

secured architecture right so with this

we can say we

have these 10 principles economy of

mechanism fail safe default

complete mediation open design

separation of privilege

list privilege least common mechanism

and

psychological acceptability work factor

and compromise recording

so with these 10 factor the whole sns

paper is covered for that particular but

that is a very old paper right

so where exactly we are going to

implement all these and

is there any model which is currently

using all these principles

yes there is and we are using all of

them

and one of the good example is the iso

19 to 49 only

because it is giving five architectural

principles and five design principles

if you check out these architectural

principles and design principles you

will find

a complete mapping of these 10 with the

mapping of the

uh s s paper right so the five

architectural principles are domain

separation

layering encapsulation redundancy

virtualization and five design

principles are list privilege

attack surface minimization centralized

parameter validation

centralized general security services

and preparing for error and exceptional

handling

right so these are the ten principles

five architectural and five design

principles given by the iso 19 to 49

paper

let’s have a quick view on the practical

implementation of these 10 principles

architectural and design principles

in some other model also we have seen

one iso

19-49 let’s have a understanding of

this also let me share my screen

okay

okay i think you are able to view the

same

okay so uh this is

a portal by ncsc that is the national

cyber security center

so this uh national cyber security

center they

provided and they uh provided some

document

we can say guide for the design of cyber

secure systems

and they are using all these 10

principles how

let’s see all of them one one by one

first of all

this whole portal uh you i will just

provide the link of the same in the

google classroom so you that

you can easily just

come to this particular page so here

they have given the secure design

principles and they are using

the whole 10 principles in different

different categories and the naming

is different but the principles are

still the same

first but exactly they have done they

have grouped together all the principles

in

five different groups these different

groups are established the context

before designing a system

may come from okay let me

show it to you yeah

this is the very first one establish the

context before designing a system

the second group they have created is

make compromise difficult

the third group they have created is

make distribution differ difficult

the fourth group is make compromise

detection easier

and the fifth one is reduce the impact

of compromise so these are the five

groups they have created and in these

groups they have put

all the principles they have changed the

name yes

but if you check out in detail then you

will found

that each and everything is exactly same

like the first one

so this is the very first group the very

first group it is having total five

principles

in it this is establish the context

before designing us

system so whenever we are going to

design any particular system whether

we are going to i can say design a

network

then first we need to understand the

context of the design

right we need to understand what exactly

the requirements are the context in

which we are going to design the whole

thing

so in this they have given the

principles the first principle say

understand what the system is for what

is needed

to operate it and which risk are

acceptable risk so this is the very

first

principles which they have given right

then the second principle says

understand the threat model for your

system

okay the third principle says understand

the role

of the supplier in establishing and

maintaining system security

the fourth principle says understand the

system end-to-end

whole it means we need to understand

about the who is going to access the

data

and the devices any third party services

which we are going to use in any

in that particular environment any

network security devices in that

particular environment

copies of our data in either moving or

static in that particular environment

then communication over insecure

networks then appropriate security for

every iteration of our systems the the

fifth principle says be clear about

how you govern security risk right and

the sixth principle says

ensure there is no ambiguity about

responsibility so these are the six

principles now you will

uh you will say that these principles

are not there in those ten principles no

it is there

right just go in depth in each and every

uh principle just read out the whole

thing then you will see that each and

everything is also covered in those

principles also

if you go to the second category that is

make compromise difficult right so the

first one

is establish the context before

designing a system then the second one

is make compromise difficult

right if anyone tried to compromise the

system then try to make it difficult

using this

secure design principles what are these

the first one is their total nine

the first one is external input cannot

be trusted

transform validate or render it safely

it means whenever

it is possible just transform it

validate the external input

or you can do a safe rendering

the second says reduce the attack

surface minimize the attack surface as

much as possible

then the third one says gain confidence

in crucial security control

fourth one says protect management and

operation environment from targeted

attacks

fifth one says prefer tried and tested

approaches

sixth one says all operation should be

individually authorized and accounted

for

seventh says design for easy maintenance

it is make it easy for administrator to

manage the access control

and ninth one says make it easy for

users to do the right thing

so this is the practical implementation

whenever you are going to design

or you want to create an architecture of

any particular environment or you want

to understand

any particular architecture of any

particular environment or

you want to secure any particular

environment then you can use these

principles

okay the first one category the first

category is establish the context before

designing a system so you need to

understand those

six principles which are given in the

first group

and according to the same you need to

understand the whole context

then the second one says make the

compromise difficult so in these

nine principles they have given as per

those nine principles you can just

make the compromise difficult make the

attacker more difficult to compromise

the whole system the third is having

total four categories

then make the disruption difficult

ensure system are resilient to

both attack and failure using redundancy

using different different techniques

then design for scalability

identify bottlenecks test for high load

and denial of service condition

and the fourth one says identify where

applicability depends on a third party

and plan for the failure of that

particular

third party so these are the four

principles they have given in

given in the fourth one the uh sorry

third one

the fourth one is make compromise

detection easier

so the last principle is exactly the

same

that is compromised recording so that is

in debt only

collect all relevant security events and

logs ensure

simple communication flows between

component detect malware command and

control communication

fourth one is make monitoring

independent of the system being

monitored

fifth one is make it difficult for

attacker to detect security rules

through external testing sixth one is

understand normal and detect the

abnormal

so that is the fourth categorization if

we go to the last one that is reduce the

impact

so when we are talking about reducing

the impact we need to first one is use

a zone or segmented network approach

which is exactly same as

we can say separation of privileges or

list common mechanism then remove

unnecessary functionality and especially

where unauthorized use would be damaging

right the third one is beware of

creating a management bypass

okay then make it easier to recover

following a compromise and the fifth one

is

designed to support separation of duties

sixth principle is about anomalizing

data where it is exported to reporting

tools

and do not allow arbitrary queries

against your data that is the seventh

and the eighth one is

avoid unnecessary cash of data so these

are the total

principles which are given in the

national cyber security center for

secure design

which are further grouped into five

different categories and

as a cyber security professional you

must understand this thing that

these kind of controls and these kind of

documents are available by

which you can understand the whole

concept behind these cyber security

right so these 10 principles which we

have discussed today

all these 10 principles are implemented

used in this particular

document of secured design principles

given by the national cyber security

center so that is a live document live

picture of

implementation of these security

principles

right okay moving further we can say

we have one more uh video which is

related to

the next part of the same that which

will cover the second

topic that is understand the fundamental

concept of security models in which i

have discussed about two

uh different models like bella padula

biba

clark wilson and the practical

implementation of this model

how exactly we are and i have shown i’ve

in that particular video i have shown i

have taken some of the practical

implementation of all this model

with some live classic examples as i

have taken for the ncsc

and the third topic of this particular

video series for today is select control

based upon system security

requirements so as in any particular

implementation we have some statement of

applicability

that from that particular framework we

are going to take these many of

our controls and these menu of controls

we are going to implement

in our environment so

we have once we have the understanding

of all these scenarios then it is very

easy for us

depending on the regulation depending on

some business needs how exactly we can

select the security

controls and how exactly we can secure

the system so that is covered in the

third topic so these are the three

videos which

you will get today in the cissp fast

track

with each and every video you will get

the questions so just after this video

i think within next 10 15 minutes you

will get the set of the questions for

the very first video

then you will get the second video uh

then you will get the

set related to the second video and then

the third video so in this way

keeps on prepping for your exam and

whatever doubts are there

uh there is a separate group for that

particular users who are

who are there in that particular fast

track group so they can just communicate

with me directly

if they face any particular issue

related to any particular

thing if you any one of you are having

any doubts then please

write it down on this chat box so that i

can

revert to you so i’m going to share

all the resources which i have

used today in my class in my video

today to you right

with this i just want to say thank you

thank you

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top