Identity and Access Management

  • Identity
    • An identity is the unique identifier of an entity.
    • An entity is anything that exists or comes into being.
  • Identification
    • Identification is the process for a subject to confess or present its identity to the authentication server.
  • Authentication
    • Authentication is the process for the authentication server to verify if the identity presented by the subject is authentic against the directory or account repository.
    • An access token is returned if the authentication succeeds.
  • Authorization
    • Authorization is the process for the service or resource provider to determine if the access request can be granted to the subject based on the access token presented and the access control matrix.
  • Accounting
    • Accounting is the process for the service or resource provider to generate records or logs against the subject’s activities so that the accountability can be enforced.
  • Session
    • A session is a two-way communication during a period of time with specific start and closure time.
    • It’s common for applications to track user activities during the session from logging in to logging out.
  • Get Started Your CISSP Journey!

CISSP = The Onion + The Peacock

  • CISSP is an ISC2 certified security professional of information systems.
  • The Onion and The Peacock as metaphors are the foundational concepts for CISSP aspirants to prepare for the CISSP exam.
    • The Onion is a metaphor as a concept model to protect assets (information systems) from threats through security controls to achieve the objectives of confidentiality, integrity, and availability (CIA), support the organizational mission and processes and deliver business values. (The triangle stands for the organization.)
    • The Peacock is a metaphor as a concept model to demonstrate the information system components, the target we are protecting.
  • The Amicliens InfoSec Conceptual Model is developed by Wentz Wu, co-founder of Amicliens, based on The Onion and The Peacock that integrates the CISSP and CISM knowledge areas seamlessly.
  • To start your CISSP journey, please visit the CISSP page.
    (https://wentzwu.com/cissp)
  • To know more about the author, Wentz Wu, please visit the About Me page.
    (https://wentzwu.com/about)

CISSP Domains

The CISSP domains can be divided into two parts: management and technical parts. The management part comprises domain 1, 2, 5, 6, and 7, and focuses on concepts, principles, processes, and practices, while the technical part, domain 3, 4, and 8, emphasizes the engineering things such as foundational technical and security knowledge, architecture, system lifecycle, and specific types of systems.

I suggest CISSP aspirants study the management part first and in sequence, then move onto the technical part. Both parts are equally important for you to pass the CISSP exam.

Lucifer

In cryptography, Lucifer was a direct precursor to the Data Encryption Standard (DES). IBM submitted the Feistel-network version of Lucifer as a candidate for the Data Encryption Standard.

The name “Lucifer” was apparently a pun on “Demon”. This was in turn a truncation of “Demonstration”, the name for a privacy system Feistel was working on.
It’s also an interesting television series on Netflix.

Old English, from Latin, ‘light-bringing, morning star’, from luxluc- ‘light’ + -fer ‘bearing’. Lucifer (sense 1)is by association with the ‘son of the morning’ (Isa. 14:12), believed by Christian interpreters to be a reference to Satan. (Google Dictionary)

Code Signing

Code Signing
 
Microsoft ActiveX components are a common but legacy example of mobile code. As a developer, it’s a good practice to sign your release with a code signing certificate so that end users can identify the software publisher. The code signing certificate is based on the PKI, a trust hierarchy.
 
Attached picture is the screenshot of code signing certificate configuration in Visual Studio 2017.

 

CISSP Study Strategy

  1. Position the CISSP as a PI-shaped exam (technical and managerial)
    CISSP needs deep “technical” and “managerial” knowledge and experience. It’s comprehensive, and CISSP aspirants have to think from a variety of perspectives, such as board director, senior management, CISO, auditor, law school student, procurement staff, engineer, developer, project/program manager, end user, attacker, and so forth.
  2. Stick to the CISSP Exam Outline
    Build a conceptual-level understanding of the Common Body Knowledge (CBK) presented as the CISSP Exam Outline. Understand every single terminology in the CISSP Exam Outline and explain to or teach your friends till you are feeling confident. For example, how do you define “security“, “risk“, and “management” in the title of Domain 1?
  3. Do at least 2500 practice questions to verify your knowledge
    Mere reading is not enough. Read and do questions iteratively to build and train your body of knowledge incrementally.
  4. Polish your test-taking skills
    The CISSP exam is an exam after all; you have to cultivate the test-taking skills on purpose as the real exam questions are deliberately “designed“.
  5. Study actively every day
    Keep studying every day to develop long-term memory. Follow Dale’s “Cone of Experience” to learn effectively.
  6. Determine to succeed in 3 months, no more than 6 months.
    Passing the CISSP exam is a project with a specific scope, schedule, and budget. You have to communicate well with your stakeholders to ensure your success; say, your family, boss, ISC2, mentors, peers, study groups, or online communities.

The CISSP Starter Page

Agile is what without Scrum, XP, Kanban, etc.

Agile is what without Scrum, XP, Kanban, etc.

Agile is a mindset, a collection of values, principles, and practices. The values and principles are explicitly expressed in a statement or so-called manifesto. Common practices are Scrum, XP, Kanban, and the like.

Implementing Agile practices is not sufficient to realize the values, let alone doing it without defining or clarifying the values.

Agile is not a concept based on intuition or implementation of Scrum, XP, or Kanban; it starts with a thoughtful and written statement of values. It implies that the problem in question has been considered and the values and principles are developed. Agile practices are the means to solve the problem based on the principles to deliver the values.

Start your Agile journey with an Agile Manifesto, no matter you develop your own or adopt a generally accepted one; say, the Manifesto for Agile Software Development.


敏捷就是沒有Scrum,XP,看板等的東西。

敏捷是一種思維方式,是價值觀,原則和實務作法的集合。 價值觀和原則可在聲明或所謂的宣言中明確表達。 常見的實務作法是Scrum,XP,看板等。

實施敏捷的實務作法不足以實現價值,更不用說在沒有定義或澄清敏捷價值的情況下就這麼作。

敏捷不是只憑感覺的一種觀念或只是實施Scrum,XP或看板就叫敏捷; 它始於一份經過深思熟慮的書面價值觀。 這意味著已經考慮了希望藉由敏捷解決的問題,並且制定了價值觀和原則。 敏捷實踐是解決問題的手段,須奠基於(敏捷)原則,以實現價值。

無論您是自己發展或是採用已普遍被接受的現有敏捷宣言,都可以通過敏捷宣言開始您的敏捷之旅; 比如,敏捷軟體開發宣言。

Agile for Cybersecurity! To Be or Not To Be?

The traditional concepts of continuous monitoring and continuous audit cover the concerns of security automation decorated with agile terminologies.

Oftentimes people think of implementing tools with Agile brands or getting faster as agile, while others consider it’s about business agility. I do think the original idea of Agile is about how people work together (as a self-organizing and cross-functional team) to cope with changes and to deliver values (iteratively and incrementally).

Before we start our Agile journey, we’d better define our problem statement and define what the values are behind the Agile umbrella.

If I’d like to incorporate agile things, I would prepare or mimic an agile manifesto first. The following is an example of Agile Manifesto for Cybersecurity from my perspective:
– People and culture over processes and tools
– Business value over comprehensive documentation
– Opportunities over Threats
– Proactive prevention over reactive response

How do we deal with the InfoSec governance, risk management, compliance and security operations based on the proposed Agile Manifesto for Cybersecurity? That’s a good question to start with.

Finally, incorporating agile elements into the cybersecurity setting is a great idea! but the idea of agile should be defined or at least clarified before we go.