This post is part of a series in which we pull security stories right from the headlines and discuss their relevance to the eight domains of the CISSP® exam.
Name That Domain: Data Escaping Through the Backdoor
The topics found across the eight domains of the CISSP® exam are taken from the real world. When (ISC)² is updating the CISSP® exam, their question writers survey current security leaders and ask them to identify the most important challenges they face. These issue areas are the topics that make it into the exam.
Ripped From the Headlines
To see the close connection between CISSP® content and the real world, all you need to do is read the news. That’s why we are introducing a new series, “Name That Domain” where we pull security stories right from the headlines and discuss their relevance to the eight domains of the CISSP® exam.
Secret Backdoors Found in Some Android Devices
More than 700 million phones, cars, and other smart devices could contain an unwanted feature: a secret backdoor that logs user data, including text messages, call logs, and contact lists, and then transmits the private information to a Chinese server. Just this week, an American cybersecurity firm, Kryptowire, discovered the spyware, which came pre-installed on some telecommunications devices, mostly low-end Android phones. Security experts and authorities are unsure about the ultimate use of the stolen data and backdoor, but they suspect it was either for advertising or state surveillance.
Domain 3, Security Engineering
If you have a chance over the Thanksgiving holiday for some light reading, Domain 3 of the Official (ISC)² CISSP® Common Body of Knowledge (CBK) textbook contains all of the details and specifications about how this backdoor would be executed. In the Security Engineering domain, you will learn about firmware, which is software written into a device’s hardware, making it a permanent part of the system. Firmware is used to instruct the device how to operate and function.
In the case of the Android devices, firmware was the key to the backdoor. Shanghai Adups Technology Company, a software development company, wrote software code which allowed Android to remotely update their firmware, an important and basic function of mobile devices. But system updating is not the only function that Adups’ software instructed the devices to do: The software was used to contact the Chinese server, creating a covert channel to transmit data.
Domain 1, Security and Risk Management
The CBK also covers backdoors’ implications for privacy. In Domain 1, Security and Risk Management, you will learn that the handling of sensitive customer information is a priority all organizations should take seriously. Moreover, an organization’s data handling procedures should be clearly communicated to customers. Both of these practices were ignored by Adups.
CISSPs: Diverse Perspectives
As a CISSP® (or even as you train to take the exam), you will have the technical knowledge to understand the complexities behind the headlines. Equally as important, you will also be able to understand the headlines from legal and ethical perspectives. Not only will you “Name that Domain,” but you will conquer the exam and become a member of CISSP® elite.