CISSP Domain 7 Review – Security Operations

This post serves as a review for the domain 7 of the CISSP. This domain covers security operations.

Before we start, here is a list that will help you navigate through the different sections of this domain review :


Investigation types

There are four different investigation types:

  1. Administrative :
    • Lower burden of proof.
    • Conducted inside an organization.
    • Violation of organizational policies.
  2. Criminal :
    • Evidence needs to be beyond a reasonable doubt.
    • Prosecution under criminal laws.
  3. Civil :
    • Preponderance of evidence.
    • Between private entities.
    • Determines if an entity is liable or not.
  4. Regulatory :
    • Preponderance of evidence.
    • Can be either criminal or civil.
    • Determines if an organization is compliant with a regulation.


There are three main types of evidence:

  1. Real evidence : This is a tangible evidence. Things that can be brought to court and can be physically touched and inspected.
  2. Documentary : It consists of a written or a digital evidence.
    • Authentication rule : The evidence can be backed up by a testimony. (For example, a cybersecurity expert can provide an expert opinion about logs that are introduced as evidence).
    • Best evidence rule : A copy of an evidence is not admissible if the original document exists.
    • Parol evidence rule : If a written contract exists between two parties, any other evidence that contradicts it will be excluded.
  3. Testimonial : There are three types of testimonial evidence:
    • Direct evidence : For example, an eyewitness who has actually observed the incident.
    • Expert opinion.
    • Hearsay evidence : Indirect or secondhand testimony.

There are multiple techniques that we can use to gather evidence:

  • Automatic capture (e.g. logging).
  • Manual capture
  • Interviews : In a private, non threatening place, and more than one interviewer.
    • Not to be confounded with interrogation. An interrogation is when trying to extract a confession, and should be conducted by law enforcement agents.
  • External capture : Requested from external sources (e.g. ISP)

No matter the the technique used, evidence should always be relevant, material and competent.

Not less importantly, the chain of custody should also be maintained to prove that the evidence has properly been handled.

Finally, it is important to know about the Electronic Discovery process: Identification, preservation, collection, processing, reviewing and production.

Digital forensics

There are three many types of digital forensics. The three most common ones are :

  • Disk forensics
  • Software forensics.
    • To detect malware origins.
    • To prove intellectual property.
  • Network forensics

Digital forensics requires special tools.

  • Write blockers / Forensic disk controller
  • Debuggers and decompilers.
  • Drive imaging tools.
  • Packet analyzers (Sniffers)

When conducting forensics, you should consider the following good practices:

  • Priority: By order of volatility. Always collect the most volatile memories first (Network traffic, CPU registers, memory cache, RAM).
  • Only people with proper training should perform digital forensics.
  • Capture time details.
  • Preserve and verify file integrity.
  • Always maintain the chain of custody.

One last note before we move on to the next section. You should keep in mind that virtualization can provide a sandbox environment that can help in forensics. One other advantage of virtualization is that it is easy to snapshot virtual machines.

Logging and Monitoring

There are multiple ways of logging and monitoring security events:

Intrusion detection and prevention systems.

  • Deployment location :
    • Host-based.
    • Network-based.
    • Perimeter placement
    • Combination of multiple locations.
  • Detection types :
    • Signature-based : Compares traffic with a database of signatures. It only detects known attacks, and does not detect zero-day attacks. Continuous update of the database is required.
    • Deviation : Compares traffic with a baseline of traffic patterns, and sends an alert if a deviation from the baseline has occurred.
    • Heuristic : Apply machine learning algorithms, and learns how the environment operates. This is also called behavior-based.

Security information and event management.

A Security Information and Event Management (SIEM) system performs the following functions :

  • Aggregation : Gathers security log information from multiple sources.
  • Normalization : Present the collected data in a meaningful, understandable way.
  • Correlation : Compare between the different logs, and provide a global view of the security status.
  • Reporting.

Ingress monitoring

Ingress monitoring can be performed using tools such as firewalls, IDS/IPS, SIEM, tap/Span. It monitors for data originating from outside the trusted network.

Egress monitoring

Egress monitoring is about data that is leaving the trusted network.

Data Leak Prevention (DLP) is a common tool that is used in egress monitoring. It compares data that is leaving the organization against a predefined rule set.

Upon detecting a violation, the DLP can do one of the following :

  • Only reminds the user that they’re trying to send sensitive information.
  • Asks for a confirmation from the user before proceeding.
  • Stops the operation, and notifies management.

Information Security Practices

Domain 7 covers some security practices that you should know about when preparing for the CISSP exam:

  • Need to Know.
  • Least privilege.
  • Separation of duties.
  • Dual Control : When two persons are required to execute a task.
  • Two-man rule, Two-person integrity : When the presence of two authorized persons is required for an action to be performed.
  • Job rotation :
    • Prevents collusion, as two people won’t have time to develop a trust relationship.
    • Higher resiliency during disaster recovery.
  • Mandatory vacation : Provide an opportunity for audit.
  • Privileged account management.
    • Unique identifiable accounts to maintain accountability.
    • Stronger authentication : Multi-factor, challenge-response, stronger password restrictions…
    • Reviewing and monitoring on a continuous basis.

Securely Provision Resources

Asset inventory

Asset inventory should Include both physical and virtual assets. For each asset, the following should be identified:

  • Owner.
  • Value
  • Cost of maintenance.
  • Location.
  • Lifespan.
  • Security classification.
  • Dependencies.

Automated tools can be used for asset inventory, like for example asset management agents installed on each host.

Configuration management

Some important concepts related to configuration management that you should know about:

  • Configuration Item (CI) : Any item that needs to be managed.
  • Baseline Configuration (BC) : A reference configurations that systems can be compared to in order to ensure that they are configured correctly.
  • Configuration Management (CM)
    • Managed by a Configuration Control Board (CCB), Change Advisory Board (CAB), or a Configuration/Change Management Board (CMB).
    • The CMB should include representatives from all stakeholders.
  • Change Management process:
    • Request control.
    • Change control.
    • Release control.
  • Patch management
    • They can be routine or emergency patches.
    • Considerations :
      • Timing and planning for the potential downtime.
      • Testing the patch in a safe environment.
      • Always perform backups before applying the patch.
      • Document, always document.
    • Potential problems
      • The patch may cause interoperability issues if dependencies exist between the system that needs to be patched and other systems.
      • Possibility to introduce new vulnerabilities if the patch was not well developed.

Detective and Preventive Measures


The following services can be managed by an external third-party organization:

  • Threat intelligence.
  • Physical security.
  • Audit.
  • Network monitoring.

When contracting a third-party organization, you should keep in mind the following considerations:

  • Strong contract language.
  • Mutual review of security governance.
  • NDA (Non-Disclosure Agreement)
  • Contractors to provide error/omission insurance.
  • Regular audit and review.
  • Approval from regulators.


There are two types of sandboxing environments:

  • Hardware : A hardware environment that mimics the production environment. Much smaller in size, and contains only the necessary machines.
  • Software : A software environment where running processes do not affect other processes.


A honeypot is a host that does not contain any sensitive data. In the event of an attack, the honeypot serves as a distraction for attackers, while at the same time it provides a chance to gather data about them.

A honeynet is similar, but instead of one host, it consists of an entire network.


An anti-malware can be hardware or software-based. It can operate on endpoints or on network devices.

Incident Management

Incident management follows the following steps:

  1. Detection
    • Using ogs, SIEM….
    • People also can sense if an incident is happening.
    • Goal of first responder : Contain damage.
  2. Response
    • Confirm the incident.
    • Triage based on impact (Low, moderate, high).
  3. Mitigation
    • Isolate and contain the incident.
    • Mitigation ends with stability.
  4. Reporting
    • Internal reporting : Employees.
    • External reporting : Public, law enforcement, vendors, regulators.
  5. Recovery
    • Remove effects of incident.
    • Return to normal operations.
  6. Remediation
    • Address the cause of the incident.
    • Patching…
  7. Lessons learned
    • Reviewing and documenting how the incident was handled for future use.

Documentation should be present in all stages of the process.

One more term to remember : CIRT means Cyber Incident Response Team.

Recovery Strategies

Backup storage

There are three ways you can use to backup storage:

  • Full : Backup all data.
  • Differential : Backup only data that has changed from the last full back-up.
  • Incremental : Backup only data that has changed from the last full, differential or incremental backup.

Recovery site

Consider the proper distance for the alternate site : Not too close to be impacted by the disaster, and not too far for it to be inaccessible for employees.

These are the most common types of recovery sites:

  • Hot : Contains all hardware, software, and data necessary for operation. The most expensive, but can operate immediately.
  • Warm : Contains most of the necessary elements needed for operation. It generally does not have the current data. Less expensive than a hot site, and can take some time to operate.
  • Cold : This is the least expensive solution, and it takes a lot of time to be in operation. It is an empty facilities with no hardware.
  • Mobile : A mobile facility that can support only a limited number of employees.
  • Cloud : Data is always backed up on the cloud. The organization can operate from anywhere with an Internet connection. Cost-saving and fast recovery.

System resilience


A UPS provides immediate power supply in case of a power interruption. It can only provide power for a short duration. If the interruption is longer than what can be handled by the UPS, then a generator should be available to take over.

The generator runs on fuel. So, it takes time to start. We use the UPS to provide enough time for the generator to start.

An automatic switch should be installed to transit to the generator when the power is interrupted.


RAID are redundancy mechanisms used to provide resiliency in case of a disk failure. These are the most common RAID types:

  • RAID 0 : Striping, requires two disks. If one disk fails, then half the data is lost. It does not provide a redundancy, and only improves performance.
  • RAID 1 : Mirroring. Requires two disks. If one disk fails, then data will not be lost. But it is not efficient, as only half the space will be used.
  • RAID 5 : Striping with parity bits. Requires at least three disks. If one disk fails, then data will not be lost.
  • Others : RAID 3, RAID 4, RAID 6, RAID 1+0, RAID 0+1.


Clustering is when multiple machines are combined to perform one activity. If one goes down, then the activity will still be performed by the other machines. (Example of clusters: Server, storage, network…)

Disaster Recovery Processes

In order to know when to launch a disaster recovery response, the following points should be determined:

  • People authorized to initiate the response.
  • Criteria for initiating the response.
  • Information and decision streams.

In addition, key personnel should be identified.

  • Responders:
    • Each response role should be assigned a specific person and also an alternate. They both should be trained.
    • Representatives from different parts of the organization.
  • Critical path personnel:
    • The personnel that have critical functions. They should continue their production activities during the response.

How communication will be made with external and internal stakeholders should also be decided. There should be only one single voice for communication.

After recovery, assess the impact. It can help in civil action, criminal prosecution and informing regulators and investors.

Restoration is the return to normal. It is not the same as recovery. Recovery means returning to critical business functions.

Timing : Restoration should not be too soon, nor too late.

Disaster Recovery Plan Testing

There are five types of DRP testing:

  • Read-through : The most basic. Each person has to go through the plan. Also called checklist.
  • Walk-through : Simulation of response activities at actual locations. Also called tabletop.
  • Simulation : Like for example a fire drill.
  • Parallel : Tests are conducted in parallel in an alternate site without impacting the operations. But it requires mobilizing of employees that are needed to perform the test. So, it is more expensive.
  • Full-Interruption: Interrupting the operations, and test the plan. This is the most expensive test.

Personnel Safety


The traveling employee should be aware of local risks, and local emergency contacts. The organization should consider the insurance coverage and Secure remote access.

In addition, the employee may be in a different jurisdiction. It is therefore necessary to consider how this might impact his work (For example, in relation to data flow across borders).


A duress code is a code word in case an employee is being threatened. The duress code should be changed regularly. It should also be easy to remember, and subtle as to not create suspicion.

We have now gone through all items that are covered in the domain 7 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.


Leave a Reply

Your email address will not be published. Required fields are marked *