ISO27034-1 ONF, ANF

Organization Normative Framework (ONF)

the ONF is a company-wide repository of Application Security Controls (ASC) and processes. The organization can store and update ASCs in a central library caled an ASC Library, which is part of the ONF. The ONF also specifies how and when an application development project should use a particular security activity, such as conducting a penetration test.

Application Normative Framework (ANF)

The ANF is the set of ASCs and application security processes that apply to a particular application, based on its contexts, specifications (i.e. functional requirements or user stories) and its development & operational processes (a.k.a. application life cycle).

Referenced from https://blog.securitycompass.com/a-laymans-guide-to-the-iso-27034-17c72b91ae07

Metasploit Configuration

#start PostgreSQL
service postgresql start

#重新啟動後執行 PostgreSQL
update-rc.d postgresql enable

#update msf modeules
apt update; apt install metasploit-framework

#access metasploit
msfconsole

神諭(Oracle)

神諭(Oracle) 是指一種徵兆，當攻擊或破解一項系統時，無法看到真正的結果，只能從狀態(如延遲時間或畫面現象) 判斷成功與否。 屬於一種 side channel attack.

Trade Secrets

They cannot be disclosed to the public, and efforts must be made to maintain secrecy.

Reference from CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide
https://www.amazon.com/Certified-Cloud-Security-Professional-Official/dp/1119277418

國學經典學管理

1. 「生而知之者，上也；學而知之者，次也；困而學之，又其次也；困而不學，民斯為下矣。」

• 生而知之(What)：主管交代前，就知道要做什麼。這類型員工你不需要太多管理，只要交代目標是什麼。
• 學而知之 (Why)：主管交代後，才知道要做什麼。這類型的員工你需要告訴他為什麼要做。否則他下次一樣被動。
• 困而學之 (How)：遇到困難再學的人。遇到這類型員工，主管交代事情時，要進一步告訴他怎麼做。
• 困而不學 (You are fired!)：碰到困境、業績不好還不努力的人。主管可以考慮辭退了。

2. 孫子兵法，九變：「圮地無舍，衢地交和，絕地勿留，圍地則謀，死地則戰。途有所不由，軍有所不擊，城有所不攻，地有所不爭，君命有所不受。故將通於九變之利者，知用兵矣。」 《商用孫子兵法》裡將九變應用於商場：

• 無市場潛力者，直接捨棄：「圮地無舍」的圮 (音同痞)，毀壞、傾倒之意，即是不住在危險難行的地方。也就是說，在偏遠或無市場潛力的地區，並不見得要開設分行或分店。
• 與所在商圈打好關係：「衢地交和」的衢 (音同渠)意思是四通八達的大路，指的是與位居要地的國家友好。對企業來說，與客戶或非競爭對手的企業打好關係，未來或許會有意料之外的合作。
• 市場開發要設停損：「絕地勿留」表示不要停留在交通不便、供給困難之地；以市場開發為例，如果經過幾年的努力還未有成果，最好趁子彈還充足時，退回熟悉的領域，等時機成熟後再出發。
• 出奇制勝：「圍地則謀」指的是被包圍時要謀劃如何突圍，如果企業的經銷網路已被對手封住，就要以出奇不意的方式突圍，才有辦法生存。
• 遇困境要冷靜：「死地則戰」表示遇到困境，要奮戰求生，經理人在走投無路時，如果懷著「一定能活下來」的信念，才能真正冷靜思考，採取行動。
• 選擇對自己有利的路：「途有所不由」的途即道路；由，走、經過之意，意思是就算有路也不走。以選址為例，信義區是許多品牌都想進駐的商區，但若和品牌目標族群不相符，或許就不會是首選。
• 放棄效益不彰的店：「地有所不爭」指的是不一定要攻擊無關緊要的敵軍，假設商家發現某些地區有消費需求，但扣除營運、人事成本，整體效益並不高，孫子的建議是直接放棄，以除後患。
• 非目標族群不用在意：「城有所不攻」代表不去攻佔沒必要爭奪的城池，如果企業目標是品牌年輕化，在行銷策略上，銀髮族群就不一定要爭取。
• 適時授權：「君命有所不受」指的是不一定要聽命於君主，這句話有但書，如果公司政策明確，應該要授權部門主管執行，讓行動合乎市場需求。

3. 孫子兵法、謀攻：善用兵者，屈人之兵而非戰也，拔人之城而非攻也，毀人之國而非久也。

參考至 經理人雜誌 No155.

https://www.managertoday.com.tw/magazines/view/127339

Policies

Policies ensure that the organization is operating within its risk profile. Policies actually define, or are the expression of, the organization's risk tolerance.

When engaging in risk tolerance, people and business consider how far they will go in taking risk before the potential risk outweighs the opportunity.

It is also the CCSP's job to educate stakeholders about cloud computing risks and benefits so that they are better to make fact-based decisions as opposed to relying on hearsay and gossip.

The risk profile of the organization is a comprehensive analysis of the possible risks the organization is exposed to.

It is impossible to remove risk. Never believe anyone who says that something has "zero risk" or that a control offers "100 percent security." Even with all possible controls placed on a business function, there will still remain some level of risk; we call this "residual risk."

Reference from CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide
https://www.amazon.com/Certified-Cloud-Security-Professional-Official/dp/1119277418