CISSP Domain 1 | Security Risk and Governance | Introduction to CISSP | CISSP Training

hello everyone and welcome to the certified information system security professional training so moving towards domain one security risk and governance indeed an important domain and uh from an exam perspective interesting one i see a lot of people say that it is something a completely theoretical based and uh they might tend to lose a focus because they either they do not have any working experience on this or their work they are slightly from a technical background which is clearly understood but it is trust me it is one of the most interesting domains and it is even

one of the most scoring domains you are definitely gonna get a lot of questions out of this and they all are pretty good scoring ones okay so we do not want to miss that each domain has been separated into different modules this has been done to ease the pressure on just going through this all the slides one by one after in each module we would be doing some kind of review activity just assess ourselves that how well we have understood the concepts okay now domain one security risk and governance it includes four different modules the

module one we're gonna talk about security governance through principles and policies so in this module we are going to understand very basic about security as and what is cia cia is confidentiality integrity and availability this is one of the important concept that we have to carry with ourselves throughout the eight domains it might look very simple indeed it is very simple but the context of the cia and how it is relevant from cisc perspective that we have to see okay this is something that i've also included in our examination mindset that whenever you think about

security think about cia because this is what we're going to do in order to protect these are the three things that we would try to achieve through security the next is about personal security and risk management concepts so we're gonna talk about a lot of concepts about risk management how does the risk management is performed what are the types of risk management and uh what are the various methods that we follow and what are the various things that we need to understand and take care from a personal security perspective now what is the personal security

like human safety people safety then we have business continuity and planning now earlier when the cssp was restructured from 10 domains to eight domains business continuity and disaster recovery used to be one single domain and a different domain altogether well they have included now bcp or business continuity planning in domain one under security risk and governance because bcp talks majorly about the policy perspective dr is from an operations perspective okay br is your operations perspective when and we're going to talk more about bcp and dr while we go when we reach there but uh just

to give you a quick understanding and it makes sense so that because dr is your disaster recovery is from an operations perspective it has been kept into domain seven which talks about security operations in module four it talks about a lot of laws and regulations and compliance what are the things that we need to understand from various laws perspective it's in indeed important highly testable but not everything okay cisp is your vendor neutral exam what is vendor neutral it doesn't talks about a specific technology which is provided by any vendor okay it talks about the

method it talks about the frameworks it doesn't talks about that how does a cloud in aws looks like it just talks about general cloud okay all right module one security governance through principles and policies now before we go ahead and get started like i said it is very important for us to understand three prior we call it as three triad of security or three principles as c i a it's confidentiality integrity and availability okay now we all have heard about these terms we all have been using it in our day to day lives which is

totally understandable but how confidentiality integrity and availability impact security in a much more granular way that's where we're gonna understand now what is confidentiality confidentiality is sharing of information with the intended audience intended people now information or a data something which is only meant for a small group of people okay that small group would only have access to the data okay that it means this particular information is confidential for them okay so whenever we want to share any information with the intended audience or intended people it means we are trying to achieve confidentiality anyone any

person who has access to this information outside this group if someone is trying to access this information outside this group what does it mean it means this particular person has access has an unauthorized access to the information okay now data should be protected in all states now data has several states and we're going to cover in domain two about the states so the data and how do we protect it but let's give a let's have a high level understanding about the states of the data now data on a high level have three states what are

the three states data could be at rest what is at rest it means it is stored anywhere like your database like your file server or anywhere where data is at storage level or at rest it is not moving anywhere what do we call when data starts moving we say data is in motion or in transit okay so like your emails or your web traffic like http or any kind of file transfer they all belong to data in motion okay then what is data in process or data in use we also call it as data and

use like when you someone is actually accessing a data or processing a data like your memory your ram ram is a good example of your data in use so we need to make sure that we protect our data in all states we need to achieve confidentiality because right now we are talking about confidentiality we would try to achieve confidentiality of the data at all states okay now you would see several exam tips throughout the slides okay these tips have been in order to understand from an exam perspective all right now whenever you get any question

in your practice test or even in your real exam that what is the best practice to achieve confidentiality or to maintain confidentiality the best practices we always encrypt the data now what is encryption what is decryption we're gonna talk in our domain three when we're gonna reach there but just to let you know encryption is a method where we convert any plain text okay by passing it through an algorithm using some keys to make it into a cipher text or an encrypted text that's what encrypted encryption is this encryption is kept or encryption is done

just to make sure that only authorized people who have access to this key or any other keys we are going to talk more about what all are the algorithms what are the keys in when we reach there but only authorized people can decrypt now what is the decryption process when we convert the cipher text using the same algorithm using a key to back to the plain text okay we hide a data from any unauthorized access so that only authorized people can look it look into it and how does an authorized people can look into it

with the same process just reversing the process of how does the encryption has worked so this process is called as encryption okay and this is decryption okay now for encryption encrypting the data in motion the best practice is tls tls 1.2 we're going to talk more about what is tls pls stands for transport layer security okay just do not get worried about these terms and jargons we are going to cover each and everything okay and for encrypting at rest it is going to be advanced encryption standard or aes256 okay we are going to learn more

about what is 256 what is aes all about when we are going to cover in cryptography okay the reason i have kept it here because when we are going to talk more about cryptography it is going to a good revision and your mind will start exploring the things that we are discussing on the very first day that this is something that we learned in very first day of our class right okay so this is an exam tip it is definitely going to be helpful throughout your practice sessions throughout your even in your real exam all

right now i'm just trying to mention few examples of confidentiality requirements what all are the requirements that we need to achieve in order to maintain the confidentiality so your sensitive data now sensitive data means your personally identifiable information pii you're going to hear this term quite often pii and you must have been hearing this term in your organizations as well pii is your personally identifiable information which means an information or a data through which you can identify any individual and phi is your protected health information we have a few people in our group who has

experience into healthcare industry so they would they have been dealing with phi data throughout their days every day right so phi is your protected health information which reveals any kind of medical information or any medical record for any individual okay so as per the law in united states which is called as hipaa okay we are going to talk more about hippa as well okay so we need to protect our health information as well okay so all the sensitive information must be protected against disclosure what is disclosure disclosure is just opposite of confidentiality confidentiality is to

maintain the secrecy of information disclosure is when we are revealing that okay so all the sensitive information must be protected against the disclosure against you using approved algorithms now what are what all are the approved algorithms these are the approved algorithms okay now just like your pii or phi our passwords are also considered as sensitive because if anyone has access to your password or credentials your systems could be accessed by any unauthorized people okay so we all understand the significance of protecting the passwords right so all these passwords and sensitive information if we cannot encrypt

it they should be masked now what is masking masking is again one of the process of hiding a data so you must have all seen the statements of your credit cards how does it come you have your credit card numbers like this right one two three four the first four digit is visible then the next four digits are like this again the next four digits are like this and last four digits are like this right so what we have done here is we have masked it or even when you enter your credential whenever you enter

your password in order to access it right it is replaced using asterix or any other character like a simple dot what we are trying to do is we are trying to mask your credentials here okay then the sensitive materials has to be whenever there we are about to store anything it has to be stored in a protected way it should not be stored in a clear text clear text means anyone can read it it's visible to everyone doesn't matter the person is approved to read or not okay although passwords are something that all should never

be kept in the clear text doesn't matter if someone is able to even or authorized or not i mean only the person to whom that password belong they should be able to see it okay even they should not be able to see it they should remembering it and they should type it in although we have one feature like when you see an eye being drawn here when you click on that i the password is revealed but that's only till the time you have clicked it just to make sure that you are typing in your inner

correct information all right now like i said tls is a best practice to encrypt the data in motion okay now what exactly tls does it actually provides you a secure channel right secure channel in which your data which is being sent which we also call it as a message or a payload okay it is in encrypted format so no one can see it we're gonna also understand how does the tls and ssl works like whenever a client and a server before they establish the connection how does the secure connection established that that we're going to

see okay but as of now we'll leave this concept when we're going to cover it just understand tls is one of the method that is used to encrypt the data when we whenever we are transmitting it in transit over the network over the channel okay right so we should be using approved method approved algorithms and approved technology to protect the data and we should not be using it something which is not secure just like your ftp ftp is your file transfer protocol a protocol is used to transfer your files from one place to another right

but it doesn't offer any protection okay instead we should be using a secure way of transmitting the file like sftp or ftps okay so it uses ssh it uses ssl okay secure shell and secure socket layer okay we're gonna cover everything even the ssh and ssl as well all right another example which is listed down here that log files should not be should not store any sensitive information we all know what are the log files and it is important that our system is capable of capturing the logs what does log exactly mean so any activity

that an individual is doing a system should be able to capture it okay a system should be able to capture it so that just in case something bad has happened to the system we should be able to review all the logs to identify what is the reason this event has happened and what are the things that we can do in order to prevent the occurrence of such event in future and also an important factor we can also try to trace back the individual who might have done that so that what we are trying to do

we are trying to hold someone accountable right but these logs should not be capturing any sensitive information let's say i am accessing any system and i'm entering my credential it should be able to capture that prashanth has accessed the system what is the time and what is the activity that he has performed it should not be able to capture my credential my password that is a bad practice because just in case if because logs are normally accessible to the people who might want like system administrators are there or people who are trying to perform the

forensics on any impacted system so the password should not be revealed any kind of sensitive information should not be revealed okay moving towards the next slide where we're gonna talk about the next triad of security which is integrity now what is integrity integrity simply means we want to protect the unauthorized modification of our data from any authorized or unauthorized people okay i'm gonna repeat the definition once again we are trying to prevent our data from any modification what kind of modification unauthorized who's going to modify the data in an unauthorized manner anyone even person is

authorized or the person is unauthorized so even a person has authorization to look into the data but they do not have an authorization to modify it if they are successfully able to modify it it means the integrity was impacted okay so we need to protect our data from unauthorized modification by any authorized or unauthorized people okay we say that integrity was achieved whenever our data is consistent okay when we say consistent it means whatever the input was provided the processing that happened and the output was provided it is maintaining the consistency and our systems are

performing as it is expected to do okay now let's talk about few examples code injection code injection is one of the attacks where an attacker tries to input inject any kind of arbitrary code or malformed code into your system into your databases to gain unauthorized access one of the common example is your sql injection which we are going to cover while we are talk while we are going to talk about osp os is your open web application security project and it includes all the top 10 vulnerabilities you must have heard about it right few of

you definitely would have worked on it but just to give you a quick example of how does the code code injection works okay now this is a technique which we can implement in order to protect against code injection attack okay input validation now what an attacker is doing in the sql injection is trying to input any malformed code something like that okay now if we are able to validate this input at a system level whenever it sees that any kind of these characters should not be allowed it means what the system is doing system is

performing a validation for the inputs so this is a technique which can be used to prevent any code injection attacks okay now what are the various other examples in the methods that we can try and implement to achieve integrity so integrity simply means ensuring the accuracy and reliability of the data when we are going to achieve the accuracy and reliability when our data is not modified in an unauthorized manner okay few of the examples that is given through which we can achieve the this method so crc is your cyclic redundancy check checksums message digests hashes

and message authentication code so what exactly these are these are the ways through which you can see whether the message was or your data was modified or not okay his message digest they all would be discussed in our domain three but i'm just gonna let you know what exactly hashing is just to have you and understanding so that you do not be in a situation that what exactly we are talking about so hashing is a process whenever we provide some kind of input and pass it through some kind of a hashing algorithm so i'm going

to take one of the example like md5 okay this is one of the algorithms of hashing which we're going to discuss okay so what output we're going to get if you want to get a hash value okay now what is the significance or importance of hashing if you have been given an input like any message any plain text and if you pass it through the algorithm hashing algorithm you get a hash value but if you have given a hash value and you are asked to provide an input of it out of it it is extremely

difficult or impossible okay the analogy that i use always so what if i give you an orange and i ask you to pass through a juicer what do we get orange juice right what if i ask you to build an orange out of an orange juice would it be possible it non-reversible right so that is what hashing is okay it is a one way mathematical function okay now the important characteristic of any hash value is so let's say we had a input as hello and whatever the hash we got as like let's say one two

three one two five abc whatever we got okay if we modify even a single character so let's say i wrote h e double l instead of o i mentioned as 0 right the entire hash value is going to change okay right so with this modification you are able to understand or identify or detect that your data was modified this is how you try to detect any unauthorized modification and there you might want to revisit that how and why this got modified and you might want to protect the integrity all right hashing message digest they all

are the same things okay crc exams they also do a validation of the data once they received to see if it has been modified in in one or the other way okay now what all the things that we need to do or include when we want to have integrity so we discussed about input validation so input validation should be used in all the application so an application any application that we are going to see it should treat all the input that it is going to receive as an untrusted from an untrusted source you need to

build a system capable enough to identify all the or treat all the input that it is receiving as an untrusted okay so that it needs to validate all the input okay so whenever an organization tries to procure any software from any vendor right whenever they have any software or an application being procured from the third party the best practice is the vendor should also be in should be including the hash of the code okay so what would happen whenever an organization is trying to install that application on their infrastructure infrastructure or on their systems before

installing it they can verify if the code was modified i mean vendor has sent their own copy okay copy of the code it also sent the hash of the code right now whenever you have seen and they would try to perform some kind of encryption so that this could be protected or something like that and once you have received the code you might want to regenerate the hash and compare it with the original hash that was created to see if it was modified anywhere and if you see that the code was modified probably you do

not want to install it because we do not have the integrity intact there the code was altered someone might have included any kind of malicious code within it so the moment you're going to install it your system might be in fact infected with some kind of malware okay then subjects should be prevented from modifying the data now who is the subject subject is an entity who request access to the data so it could be your let's say if an applic a user is trying to access an application in this case this would become a subject

and this would become an object object is an entity which provides access to the data subject is an entity which requests access to the data okay now if an application is trying to access a database to in order to retrieve anything in this case application will become a subject and a database would become a object all right so a subject should be prevented from modifying the data unless exclusively allowed all right so if a person is should not be allowed to modify the data if they are explicitly allowed okay well thank you everyone take care

of yourself study hard stay safe