iPAS Information Security Engineer Study Notes

TLDR

• CIA Triad (Confidentiality, Integrity, Availability) represents security protection goals; AAA Framework (Authentication, Authorization, Accounting) is the implementation mechanism for access control.
• Defense in Depth strategy requires multi-layered controls to ensure protection even if a single point of failure occurs.
• ISO 27001 is the ISMS management system certification standard; SoA (Statement of Applicability) records the justification for the selection of control measures.
• Risk Formula: Risk = Threat × Vulnerability × Asset Value; ALE = ARO × SLE.
• Incident Response (NIST SP 800-61): Containment is the top priority; Lessons Learned are key to continuous improvement.
• Digital Forensics: Follow the order of volatility (RAM → Disk → Logs); the forensic process must maintain a Chain of Custody.
• Backup Strategy: The 3-2-1 rule (3 copies, 2 types of media, 1 off-site) is the minimum standard.
• Network Security: VLAN isolation must guard against Double Tagging attacks; IPv6 requires security policies synchronized with IPv4.
• Cryptography: Symmetric encryption (AES-GCM) is used for bulk data; asymmetric encryption (RSA/ECC) is used for key exchange and signatures; password storage must use slow hashing (Argon2id/bcrypt).
• Zero Trust Architecture: The core principle is "Never Trust, Always Verify," implemented through PEP/PA/PE components to achieve granular access control.

---

Basic Concepts

Fundamentals of Information Security

CIA and AAA Frameworks

• When to encounter this issue: When designing system architecture or conducting security compliance assessments, it is necessary to clarify protection goals and implementation mechanisms.
• Core points:
  • CIA Triad: Confidentiality, Integrity, Availability.
• AAA Framework: Authentication (who you are), Authorization (what you can do), Accounting/Auditing (what you did).
• Conclusion: CIA is the goal, AAA is the means; they are complementary.

Defense in Depth

• When to encounter this issue: When a single defense layer (such as a firewall) is breached and the system becomes fully exposed.
• Approach: Establish multi-layered security defenses (governance, physical, network, host, application, data) so that even if one layer is breached, other layers still provide protection.

Information Asset Classification

• When to encounter this issue: When an enterprise needs to determine liability for damages following a data breach.
• Role definitions:
  • Asset Owner: Business unit manager, determines classification levels and approves access.
  • Asset Custodian: IT department, implements technical control measures.

---

Regulations and Compliance

ISO/IEC 27001 and ISMS

• When to encounter this issue: When an organization needs to prove its security management capabilities to a third party.
• Key points:
  • 27001 is a requirement (SHALL), 27002 is a guideline (SHOULD).
  • SoA (Statement of Applicability): Must record the justification for the selection of each control measure in Annex A.
• Conclusion: Achieving certification indicates that the management system complies with standards, not that technical controls are 100% free of vulnerabilities.

Audit Types

• When to encounter this issue: Clarifying the legal validity and certification qualifications of audit reports.
• Conclusion: Only third-party audits can issue certification certificates. Regulatory audits (such as the Financial Supervisory Commission auditing a bank) are considered second-party audits.

---

Risk Management

Risk Assessment and Treatment

• When to encounter this issue: When security budgets are limited and it is necessary to decide which vulnerabilities to patch first.
• Risk Formula: ALE (Annualized Loss Expectancy) = ARO (Annualized Rate of Occurrence) × SLE (Single Loss Expectancy).
• Treatment Strategies: Avoidance, Modification (Mitigation), Sharing (Transfer), Retention (Acceptance).
• Conclusion: Risk cannot be reduced to zero; residual risk must be formally approved by management.

---

Incident Management

Security Incident Response (NIST SP 800-61)

• When to encounter this issue: When a security incident occurs and rapid damage control is required.
• Process:
  1. Preparation: Establish CSIRT and response plans.
  2. Detection and Analysis: Identify incidents via SIEM.
  3. Containment, Eradication, and Recovery: Containment is the first priority to prevent the disaster from expanding.
  4. Post-Incident Activity: Write reports and implement continuous improvement.

Digital Forensics: Order of Volatility

• When to encounter this issue: When evidence needs to be preserved for legal purposes.
• Principle: Collect evidence based on volatility (CPU cache → RAM → Running processes → Disk → Remote logs).
• Conclusion: The forensic process must use a Write Blocker and calculate Hash values to maintain the Chain of Custody.

---

Network Security

VLAN Security

• When to encounter this issue: When an attacker accesses resources across network segments due to VLAN configuration flaws.
• Defense:
  • Disable DTP auto-negotiation.
  • Change the Native VLAN to an unused ID to prevent Double Tagging attacks.

Zero Trust Architecture

• When to encounter this issue: When traditional VPN perimeter defense fails to meet the needs of remote work and cloud environments.
• Core Principles: Never trust, always verify; least privilege; assume breach.
• Implementation: Intercept all requests via PEP (Policy Enforcement Point), with dynamic authorization performed by PA/PE.

---

Cryptography

Selection of Encryption Algorithms

• Symmetric Encryption: AES-GCM (Recommended, includes integrity verification).
• Asymmetric Encryption: RSA-OAEP / RSA-PSS or ECC (ECDSA/ECDHE).
• Password Storage: Argon2id or bcrypt (slow hashing); the use of MD5/SHA-1 is strictly prohibited.
• Conclusion: Never implement your own encryption algorithms; always use standard libraries.

---

Development and Operations Security

SSDLC and DevSecOps

• When to encounter this issue: When severe vulnerabilities are discovered during software development, making patching costs too high.
• Approach: Embed security testing (SAST/SCA/DAST) into the CI/CD Pipeline to implement "Security as Guardrails."
• Conclusion: Security should be involved from the requirements phase (threat modeling), not just during the testing phase.

Container Security

• When to encounter this issue: When container escape leads to host compromise.
• Defense:
  • Image scanning (Trivy/Grype).
  • Least privilege (non-root execution, read-only root filesystem).
  • Runtime monitoring (Falco/Tetragon).

---

Change Log

• 2026-05-02 Initial document creation.
• 2026-05-21 Added technical details and charts, refined terminology.