CloudyWing's Note

English

繁體中文

English

繁體中文

Theme

Original note

iPAS Exam Preparation Notes - Information Security Engineer

TLDR

  • CIA and AAA: CIA represents the protection goals (Confidentiality, Integrity, Availability), while AAA represents access control mechanisms (Authentication, Authorization, Accounting).
  • Asset Management: Primary assets are carriers of business value, while supporting assets are the means of support; sensitivity classification (Public/Internal/Confidential/Private) must be determined by the asset owner.
  • ISO 27001: A management system standard (certifiable); control measures in Annex A must be selected based on risk assessment results and recorded in the SoA.
  • Risk Management: Risk = Threat × Vulnerability × Asset Value; quantitative analysis (ALE/ROSI) provides a basis for financial decision-making, while qualitative analysis (risk matrix) is used for rapid screening.
  • Incident Response: Containment is the top priority; MTTD (Mean Time to Detect) is more critical than MTTR (Mean Time to Respond); digital forensics follows the order of volatility (RAM → Disk → Log).
  • Network Security: ARP Spoofing achieves MITM by forging ARP responses; BGP Hijacking exploits longest prefix matching to hijack traffic; DNSSEC ensures DNS authenticity through digital signatures.
  • Cryptography: Symmetric encryption (AES-GCM) is suitable for large volumes of data; asymmetric encryption (RSA/ECC) is used for key exchange and signatures; password storage must use slow hashes (Argon2id/bcrypt) combined with Salt.
  • Cloud Security: In the shared responsibility model for cloud service models (IaaS/PaaS/SaaS), data security and identity management are always the customer's responsibility; CNAPP integrates CSPM/CWPP/CIEM for comprehensive protection.

Basic Concepts

Information Security Fundamentals and Terminology

Information Security Fundamentals (CIA and AAA)

  • CIA Triad: Confidentiality, Integrity, Availability.
  • AAA Framework: Authentication (who you are), Authorization (what you can do), Accounting/Auditing (what you did).
  • Defense in Depth: Through multi-layered security controls (governance, physical, network, host, application, data), even if one layer is breached, other layers still provide protection.

Information Ethics and Asset Management

  • PAPA Theory: Privacy, Accuracy, Property, Accessibility.
  • Asset Classification: Primary assets (the business value itself) and supporting assets (the means to carry the primary assets).
  • Classification Dimensions: Sensitivity (Confidentiality-oriented) and Criticality (Availability-oriented).
  • Role Division: Asset Owner (business unit, determines classification) and Asset Custodian (IT department, implements controls).

Regulations and Compliance

ISO/IEC 27001 and ISMS

  • ISO 27001: ISMS management system requirements; organizations must comply with clauses 4–10.
  • SoA (Statement of Applicability): Based on risk assessment results, explains the reasons for selecting Annex A control measures.
  • PDCA Cycle: Plan, Do, Check, Act is the core of continuous improvement.

Auditing and Certification

  • Audit Types: First-party (internal), second-party (customer/regulatory authority), third-party (independent certification body).
  • SOC 2 Type 1 vs Type 2: Type 1 is a design review at a specific point in time; Type 2 is a verification of operational effectiveness over a period of time.

Risk Management

Risk Assessment Process

  1. Asset Identification: Inventory and classification.
  2. Threat and Vulnerability Identification: Identify applicable threats and existing vulnerabilities.
  3. Risk Analysis: Assess probability and impact (qualitative or quantitative).
  4. Risk Treatment: Choose to avoid, modify (reduce), share, or retain (accept).

Risk Quantification Formulas

  • ALE (Annualized Loss Expectancy) = ARO (Annualized Rate of Occurrence) × SLE (Single Loss Expectancy).
  • SLE = AV (Asset Value) × EF (Exposure Factor).
  • ROSI (Return on Security Investment): Measures the financial justification of security control measures.

Incident Management

Information Security Incident Response (NIST SP 800-61)

  1. Preparation: Establish teams, tools, and drills.
  2. Detection and Analysis: Monitoring, alert classification.
  3. Containment, Eradication, and Recovery: Isolate infected systems (priority), remove malicious code, restore systems.
  4. Post-Incident Activity: Write reports, summarize experience (Lessons Learned).

Digital Forensics

  • Order of Volatility: CPU Cache → RAM → Network Connections → Temporary Files → Hard Disk → Remote Logs.
  • Integrity Verification: Use Hash (e.g., SHA-256) to ensure the evidence copy is consistent with the original media.

Network Security

Network Architecture and Attacks

  • ARP Spoofing: Forging ARP responses to achieve MITM attacks.
  • BGP Hijacking: Announcing a longer prefix (Longest Prefix Match) to hijack traffic.
  • DNSSEC: Verifying the authenticity of DNS responses through digital signatures to prevent cache poisoning.
  • VPN: IPsec (L3, suitable for Site-to-Site), SSL/TLS VPN (L4-L7, suitable for Remote Access).

Network Defense

  • NAC (802.1X): Perform identity authentication and health checks before connection.
  • VLAN Security: Disable DTP auto-negotiation, modify Native VLAN to prevent Double Tagging attacks.
  • Firewall: NGFW integrates DPI and application identification; WAF focuses on L7 Web attack protection.

Cryptography

Encryption Technology

  • Symmetric Encryption: AES-GCM (recommended, features authenticated encryption).
  • Asymmetric Encryption: RSA, ECC (Elliptic Curve, shorter keys, better performance).
  • Hash Functions: SHA-256 (integrity check), Argon2id/bcrypt (password storage, slow hash).
  • Digital Signatures: Use private key for signing and public key for verification to ensure integrity and non-repudiation.

Development and Operations Security

SSDLC and DevSecOps

  • SAST: Static analysis of source code (e.g., SonarQube).
  • DAST: Dynamic scanning of running applications (e.g., OWASP ZAP).
  • SCA: Scanning for vulnerabilities in third-party packages (e.g., Snyk).
  • SBOM: Software Bill of Materials, tracking dependencies to address supply chain risks.

Container and Cloud Security

  • Container Security: Image scanning, minimized Base Image, runtime monitoring (Falco).
  • Cloud Security: CSPM (configuration), CWPP (runtime), CIEM (permissions).
  • IaC Security: Scanning for configuration errors before deployment (Checkov).

Identity and Access

Access Control Models

  • RBAC: Role-Based Access Control.
  • ABAC: Attribute-Based Access Control (time, location, identity) for dynamic authorization.
  • Zero Trust: Never trust, always verify; identity is the perimeter.

Authentication Mechanisms

  • FIDO2 / Passkey: Phishing-resistant passwordless authentication standard, credentials bound to Origin.
  • OAuth 2.0 / OIDC: OAuth 2.0 is an authorization framework; OIDC adds an identity authentication layer on top of it.
  • PAM: Manages privileged accounts, provides password vaults and JIT access.