(ISC)² CBK Objectives
The 15 official learning areas of Domain 7. Click an objective for detail.
Understand and comply with investigations
4 investigation types (see D1). In practice: isolate without destroying, document every action (chain of custody), preserve volatility (RAM before disk), work on bit-for-bit copies (disk imaging).
Key points
- Order of volatility: registers/RAM → cache → disk → archives
- Imaging: MD5/SHA fingerprint before and after
- Never boot a compromised host on its own OS
Conduct logging and monitoring activities
SIEM centralizes logs, correlates them, triggers alerts. Sources: OS, apps, network, endpoint (EDR), cloud (CloudTrail). Challenges: volume, signal/noise, false positives. SOAR to automate response to repetitive alerts.
Key points
- Tamper-proof logs: WORM, signatures, SIEM separate from prod
- NTP synchronized or correlation fails
- UEBA detects anomalous behavior without signatures
Perform configuration management (CM)
Maintain a known/documented state of all systems. CMDB = live inventory. Hardened baselines (CIS Benchmarks). Drift detected by scanner (Chef Inspec, OpenSCAP). IaC (Terraform) = codified, reproducible configuration.
Key points
- Configuration drift = #1 cloud incident cause
- IaC + GitOps = auditable baseline
- Accurate CMDB = prerequisite for other controls
Foundational security operations concepts
Need to know, least privilege, SoD, dual control, job rotation, mandatory vacation (forced rotation to surface fraud), privileged access monitoring. These principles aren't D1-only: they materialize in daily operations.
Key points
- Mandatory vacation: forced leave ≥ 5 consecutive days to surface ongoing fraud
- Admin: separate user/privileged accounts
- PAM (CyberArk, BeyondTrust) for vaulting + session recording
Apply resource protection
Protect tangible and intangible assets: data, systems, media, documentation, crypto keys. DLP (data loss prevention) in transit and at rest. Physical media protection (encrypted storage, certified destruction).
Key points
- DLP: pattern detection (credit cards, SSN) + upload/email block
- Crypto keys = most sensitive asset: HSM + SoD
- Destruction: certificate + witness
Conduct incident management
IR cycle: Prepare → Detect → Analyze → Contain → Eradicate → Recover → Lessons Learned. Pre-defined playbooks per type (ransomware, data breach, DDoS, insider). Internal + external comms (customers, regulators).
Key points
- Preparation > reaction: written playbooks save lives
- Isolation ≠ shutdown - preserve for forensics
- Blameless post-mortem = real learning
Operate preventative and detective measures
Firewalls, IDS/IPS, antivirus/EDR, WAF, sandboxing, honeypot (decoy for detection), threat intel (STIX/TAXII), application allowlisting. Combination of preventive + detective + corrective controls.
Key points
- EDR > classic antivirus (behavior vs signature)
- Honeypot = high signal value (all activity = suspect)
- Shared threat intel: MISP, ISACs
Patch and vulnerability management
Continuous vulnerability scanning (Nessus, Qualys, OpenVAS), prioritization by CVSS + exploitability (EPSS) + exposure (asset criticality). Patch waves: test → pilot → prod. SLA: critical 24-72 h, high 30 d.
Key points
- EPSS = real exploitation probability, complements CVSS
- Virtual patching (WAF) while waiting for official patch
- Measure patch MTTR, not just % coverage
Understand and participate in change management
Request → Review (CAB) → Approve → Test → Deploy → Verify → Close. Distinguish standard changes (pre-approved, automatable), normal (CAB), emergency (E-CAB post-implementation). Every change must be traceable and reversible.
Key points
- Rollback plan mandatory before deployment
- Freeze periods (critical events, year-end close)
- Change mgmt ≠ configuration mgmt (CM = state, Change = transition)
Implement recovery strategies
Backups: 3-2-1 (3 copies, 2 media, 1 off-site). Types: full, incremental (restore full + all), differential (restore full + latest). Immutable against ransomware. Periodic restore test.
Key points
- Modern 3-2-1-1-0: +1 immutable/air-gapped, 0 errors at test
- An untested backup does not exist
- RPO driven by backup frequency
Disaster Recovery (DR) processes
The DRP is the IT aspect of BCP: system recovery after major disaster. Sites: hot (minutes), warm (1-2d), cold (1-2w), mobile. Architecture: multi-region, multi-AZ cloud, async/sync replication.
Key points
- Shorter RTO = more expensive
- Cloud: multi-region = native DR if properly configured
- Document runbooks, not just architecture
Test disaster recovery plans (DRP)
5 levels: desk check (read), table-top (roleplay), simulation (scenario without touching prod), parallel (switch to secondary without stopping prod), full interruption (prod cut - risky, semi-annual max).
Key points
- Gradually increase intensity
- Full interruption = ultimate proof but business risk
- Documented tests = audit evidence
Participate in business continuity planning and exercises
BCP goes beyond IT: crisis comms, finance, legal, HR, facilities. Each department has its share. Cross-team exercises (e.g. cyberattack + fire) reveal hidden dependencies.
Key points
- Crisis cell: predefined roles (leader, comms, tech, legal)
- Annual exercises minimum, varied scenarios
- Lessons learned = assigned action items
Implement and manage physical security
Perimeter, access control (badges, biometrics, mantraps), CCTV, guards, intrusion (detectors, alarms), environmental (fire, flood, HVAC, UPS). Defense in depth applied to facilities.
Key points
- CCTV: 30-90 d retention, privacy zones
- Human guards complement, don't replace tech
- Datacenter: extra rules (Tier, fire, raised floor, cages)
Personnel safety and security concerns
Safety > security when in conflict: human life first. Evacuation plans, first aid, travel security (risk countries), duress (under-threat signal), workplace violence. Wellness against burnout.
Key points
- Fire: life first, not data
- Duress code: discreet word/signal to alert without tipping off
- Travel: burner phone, clean device, VPN
Key concepts
Order of volatility
Ranks evidence sources from most volatile to most durable, dictating collection order: CPU registers and cache > RAM > network state and connection tables > temporary files and active disk > durable media (disks, archives, backups). Capture the most volatile first; RAM is unrecoverable once powered off, hence a memory dump before any shutdown.
Chain of custody
Documented traceability of evidence from collection to presentation, answering who/what/where/why/when for every handling. Preserve the original via write-blocking and analyse bit-level copies. A single missing link makes the evidence challengeable. The four presentation tenets: admissibility, accuracy, comprehensibility, objectivity.
IDS vs IPS
An IDS (intrusion detection system) detects and alerts a human, without interrupting traffic. An IPS (intrusion prevention system) detects AND automatically acts to block. Placements: perimeter (DMZ, north-south), host-based (HIDS/HIPS on endpoints), network-based (NIDS/NIPS on segments, east-west) - combine them. Methods: signature (known), deviation/heuristic (unknown, false positives), pattern matching (leaks, DLP).
SIEM and SOAR
The SIEM (Security Information and Event Management) aggregates, normalises, correlates, and stores heterogeneous logs to turn scattered events into high-confidence alerts; off-host storage matters because log deletion is itself an IoC. SOAR (Security Orchestration, Automation and Response) adds tool orchestration, playbook automation, and response - speeding up and standardising the SOC's reaction.
Continuous monitoring (ISCM)
ISCM (Information Security Continuous Monitoring, NIST SP 800-137) maintains ongoing awareness of security posture, vulnerabilities, and threats to support risk-management decisions. Distinct from log management (NIST SP 800-92): ISCM is the continuous monitoring of posture, while log management is the lifecycle handling of the logs that feed it.
Least privilege, SoD, PAM
Least privilege = the strict minimum of rights; need-to-know = access only to the information required (orthogonal to privilege). Separation of Duties (SoD) splits a sensitive task across people to neutralise single-person fraud. PAM (Privileged Account Management) manages, monitors, and vaults high-privilege accounts; just-in-time (JIT) identity grants elevation only for the time needed, shrinking the standing attack surface.
Incident lifecycle
NIST SP 800-61: Preparation > Detection & Analysis > Containment, Eradication & Recovery > Post-Incident Activity. ISO/IEC 27035 offers an equivalent cycle. An event is any observable fact; an incident is an event (or series) that threatens security. The cheat sheet summarises the response as Detect, Respond, Report, Recover, Remediate, Review.
Containment vs eradication
Containment = limit the spread of damage (isolate hosts, segment, cut a flow) without yet removing the cause. Eradication = eliminate the root cause (malware, compromised account, exploited vulnerability). Recovery = return systems to clean production; remediation = fix durably to prevent recurrence. The order is containment BEFORE eradication.
Backups 3-2-1 and types
3-2-1 rule: 3 copies, on 2 media types, 1 of them off-site (modern variant +1 immutable, 0 test errors). Full = everything, clears the archive bit. Incremental = since the last backup (full or incr.), clears the bit; restore = full + all incrementals. Differential = since the last full, keeps the bit; restore = full + last differential.
RAID levels
RAID 0 = striping (fast, 0 redundancy). RAID 1 = mirroring. RAID 5 = striping + distributed parity, n disks give n-1 usable and tolerate 1 failure. RAID 6 = dual parity, tolerates 2 failures (n-2 usable). RAID 10 = mirror + stripe (best perf/reliability ratio). Trap: RAID provides availability, it is NOT a backup - it protects against neither deletion nor ransomware.
Recovery sites and RTO/RPO/MTD
Sites: hot (minutes, ready to use, costly), warm (1-2 days), mobile (3-5 days), cold (1-2 weeks, empty shell). MTD = the total tolerable downtime of a process; RTO = the max time to restore a resource (drives the recovery technology); RPO = tolerable data loss (drives backup frequency). Golden rule: RTO ≤ MTD, and MTD = RTO + WRT.
DR test types
Five tests by increasing intensity: read-through/tabletop (around a table, cheapest and least intrusive), walk-through (travelling to the sites), simulation (scripted drill mobilising staff, e.g. a fire evacuation), parallel (the alternate site runs alongside production), full interruption (real cutover, production is taken down - the riskiest and most costly).
Locard's exchange principle
Every contact leaves a trace: each attacker action deposits artifacts (logs, files, registry) and removes others. The basis of forensics: no intrusion is traceless.
Clipping level
Threshold below which benign, repetitive events raise no alert (e.g. 3 tolerated login failures). Set too high, it hides a low-and-slow attack.
Resilience: HA, fault tolerance, QoS
High availability targets uptime (redundancy), fault tolerance targets uninterrupted continuity despite a failure, Quality of Service (QoS) guarantees bandwidth/latency/priority to critical flows.
Frameworks & standards
| Framework | Role |
|---|---|
| NIST SP 800-61 | Incident response lifecycle (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident). |
| ISO/IEC 27035 | Information security incident management (international standard). |
| NIST SP 800-92 | Reference guide for computer security log management. |
| NIST SP 800-137 | Information Security Continuous Monitoring (ISCM) - ongoing posture monitoring. |
| NIST SP 800-86 | Integrating forensics into incident response (Collection > Examination > Analysis > Reporting cycle). |
| NIST SP 800-34 | Contingency planning for IT systems - basis of DRP/BCP (US). |
| ISO 22301 | Business continuity management system (BCMS, international). |
| NIST SP 800-88 | Guidelines for Media Sanitization - Clear, Purge, Destroy against data remanence. |
| ITIL v4 | IT service management: incident, problem, and change enablement. |
| CIS Benchmarks / SCAP | Automatable hardening baselines for configuration. |
Acronyms
| Acronym | Meaning |
|---|---|
| IDS | Intrusion Detection System - detects and alerts |
| IPS | Intrusion Prevention System - detects and blocks |
| NIDS | Network IDS - sensor on a network segment |
| HIDS | Host IDS - agent on an endpoint |
| SIEM | Security Information & Event Management |
| SOAR | Security Orchestration, Automation & Response |
| ISCM | Information Security Continuous Monitoring (NIST 800-137) |
| DLP | Data Loss Prevention |
| UEBA | User and Entity Behavior Analytics |
| IoC | Indicator of Compromise |
| CMDB | Configuration Management Database |
| SCAP | Security Content Automation Protocol |
| RFC | Request For Change |
| CAB | Change Advisory Board |
| PAM | Privileged Account Management |
| JIT | Just-In-Time identity - temporary elevation |
| SoD | Separation of Duties |
| RTO | Recovery Time Objective |
| RPO | Recovery Point Objective |
| MTD | Maximum Tolerable Downtime |
| WRT | Work Recovery Time |
| BIA | Business Impact Analysis |
| RAID | Redundant Array of Independent Disks |
| SAN | Storage Area Network |
| NAS | Network Attached Storage |
| CSIRT | Computer Security Incident Response Team |
| SOC | Security Operations Center |
| CPTED | Crime Prevention Through Environmental Design |
| MDM | Mobile Device Management |
| PIR | Passive Infrared sensor |