When I was a junior, consultants taught us about value, vision and commitment. They were far away from me then.

Nowadays, I convey the idea to my students in a security governance class. The story repeats.

This is life. 😀

ISO OSI Reference Model

The OSI model is defined in ISO 7498-1, which is available here (ISO PAS)
The following is a summary of ISO 7498-1:

1. The Application layer includes facilities, such as agreement on security aspects (e.g. authentication, access control, data integrity); selection of mode of dialogue; and identification of abstract syntaxes, etc.
2. The Presentation layer is all about “Syntax.” (Encoding/Decoding, compression, encryption, etc. are good examples.)
3. The Session layer deals with dialogs, duplex/half-duplex interaction modes, and “typed” data transfer, etc.
4. The Transport layer provides a “transparent” transfer of data and relieves the session layer from transmission details.

TLS

TLS requires a reliable underlying protocol and an in-order data stream. It typically works on top of TCP (a transport layer protocol) to complement its security weakness. Hence, TLS works, in my opinion, in the session, and presentation layer in terms of its Presentation Language, Handshake Protocol, Record Protocol, Cryptographic Computations, etc. as defined in RFC 8446.

Inconsistent Definitions

However, you can be confused because the Sybex OSG or other materials may say TLS belongs to the “Transport Layer.” It’s all right for us to just be aware of those different perspectives out there. It’s more important that we do research when in doubt and know the inconsistency between the commonly accepted definitions and what the classic literature says.

Continue reading →

Progressive Learning in Parallel (like the right-hand side). That is, read each domain progressively and in parallel like the right-hand side of animation depicts. Most people tend to read domain by domain like the left-hand side.

1. Build your own blueprint or conceptual model (e.g., Amicliens InfoSec Conceptual Model) in one week by skimming, browsing, speed-reading your study guide, mentoring, tutoring, training, or any other approaches available.
2. Base your learning on the model and study topic by topic iteratively and progressively. This is the Agile way to increase knowledge (value) iteratively.
3. After you have informed and enriched your conceptual model, it’s about time to read your study guide from cover to cover.
4. Review the CISSP exam outline every day to ensure you are on the right track and measure your progress.
5. Practice questions in Sudoku 365 (Wentz QOTD) until you understand the concepts behind each question and score higher than 80%. This approach is called test-driven.

Please read the CISSP Test-Driven Study Strategy for more.

Continue reading →

Security

Security protects humans and assets. Information security is not only talking about information systems and infrastructure, but also the business, organizational vision and mission, the society and common good, and human life. All of them are part of our daily life.

ISC2 Code of Ethics Canons

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Politics

Politics means managing public affairs; it is all about our everyday life. It should not be solely represented or dominated by politicians. Since politics is about managing public affairs, it is related to everyone. The scope of politics ranges from a group, an organization, a society, a country, to the world.

Politics (from Greek: Πολιτικά, politiká, ‘affairs of the cities’) is the set of activities that are associated with making decisions in groups, or other forms of power relations between individuals, such as the distribution of resources or status. The academic study of politics is referred to as political science.

Source: Wikipedia

Covid-19 May Kill Democracy

People tend to avoid conflicts by not talking about politics, because of the misunderstanding of it. It’s etiquette or right in most cases. However, indifference or negligence of politics can be a disaster in a particular situation – specifically, the pandemic of COVID-19.

Stay Safe and Aware

• Wash hands frequently, wear a facial mask, and keep social distancing to stay safe.
• Watch the video and be aware of the world’s security creeping, and please share the video if you will.

“Business“ is a collection of value activities that consume resources to create and deliver value to meet stakeholders’ needs and fulfill organizational vision and mission. Porter’s value chain groups value activities into primary activities that create value directly and support activities that create value indirectly.

“Analysis“ is the process of decomposing a complex subject into elements and examining their nature, properties, features, and relationships. Techniques such as break and conquer, comparison and contrast, induction and deduction, inference, and conclusion are commonly applied.

Business analysis is a discipline of understanding stakeholders’ needs to identify problems and opportunities, proposing alternatives or solutions, and determining strategies to solve problems or pursue opportunities. The development or acquisition of information systems is a commonly adopted solution.

Dear readers,

Thank you for purchasing The Effective CISSP series. I hope my books are helpful in your CISSP journey and contribute to your success in CISSP!

Your feedback and comments are the most valuable and powerful driver to the author, yes! that’s me:) Please don’t hesitate to click the following books to comment on Amazon! Thank you very much for your kind help!

Best regards,
Wentz

Please click the following books to commnet:

DDoS and Mitigation

1. What is a DDoS Attack
2. DDoS mitigation (Wikipedia)
3. Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response (SEI)
4. What is a DDoS Attack? (AWS)
5. Types of DDoS Attacks and Their Prevention and Mitigation Strategy (EC-Council)
6. DDoS Attacks (Imperva)
7. What is DDoS Mitigation? (Cloudflare)
8. Best practices to mitigate DDoS attacks
9. 7 Best Practices for Preventing DDoS attacks

2019/08 – 2020/09 A milestone achieved!

• My first book is dedicated to my parents and aims to share my perspective on the discipline of Information security.
• The 2nd book is a conclusion/compilation of Wentz QOTD for the past year.
• The 3rd, in Chinese, is my contribution to local CISSP communities in Taiwan.

I believe hard working always pays back.

2019/08 – 2020/09 里程碑達成!

• 我的第一本書是獻給 父母親的, 同時也表達我對資安這門學問的一些看法.
• 第二本書是過去一年我的每日一題的總結/匯整.
• 第三本是中文的,是我對台灣本地CISSP社群的回饋.

我相信努力工作總是會有好的回報.