Sei sulla pagina 1di 71

Good Morning

Good Morning
Presenter
Presenter
Presenter
Presenter
Presenter
Presenter
Presenter

Presenter

Presenter
Presenter
Presenter
Presenter

Class Rules

Class Rules • NO Eating, NO Drinking • Your mobile is SILENT or Off. • Attendance

NO Eating, NO Drinking

Your mobile is SILENT or Off.

Attendance is obligatory

Method of Teaching this course

Take notes so you will remember the concepts for the Exam.

CISSP CBK

CISSP Introduction

Module 1: Access Control

Module 2: Telecommunications and Network Security

Module 3: Information Security Governance and Risk Management

Module 4: Software Development Security

Module 5: Cryptography

Module 6: Security Architecture and Design

Module 7: Operations Security

Module 8: Business Continuity and Disaster Recovery Planning

Module 9: Legal, Regulations, Investigations and Compliance

Module 10: Physical (Environmental) Security

• Module 9: Legal, Regulations, Investigations and Compliance • Module 10: Physical (Environmental) Security

Assessment

First exam contributes to 20% of the grade (1 hour)

Second Exam Contributes to 20% of the grade (1 hour)

Final Exam contributes to 60% (includes all material from the beginning of the year) 3 hours.

Total Grade 100%

Assessment is through multiple choice questions.

Important Notice:1

Material in these presentations were copied with some modifications and

other times without modifications from the following resources:

CISSP Candidate Information Bulletin (Exam Outline) Rev5 (ISC)2

CISSP Information (ISC)2

Presentations Prepared by Ben Rothke (New York Metro eSecuirty Solutions Group 732/516-4248 which was posted on www.cccure.org

Study guide prepared by Derek Prueitt (Hughens Supply) and was posted on

MSc. Information Security course materials given in Royal Holloway University of London

Handbook of Information Security Vol. 3 (2006 by John Wiley & Sons)

Computer Security Strength & Risk: A Quantitative Approach: thesis by Stuart Edward Schechter (Harvard University) May 2004

Important Notice:2

(National Institute of Standards and Technology Administration U.S. Department of Commerce; Special Publication 800-12)

CISSP: Certified Information Systems Security Professional Study Guide 2nd Edition (Ed Tittel, James Michael Stewart, Mike Chapple) 2004 SYBEX

National Institute of Standards and Technology Administration U.S. Department of Commerce Risk Management Guide for Information Technology Systems; NIST Special Publication 800-30

Computer and Information Security Handbook Edited by John R. Vacca (2009 by Elsevier Inc)

Cloud Security and Privacy (Tim Mather, Subra Kumaraswamy, Shahed latif) OREILLY - 2009

Important Notice:3

(National Institute of Standards and Technology Administration U.S. Department of Commerce; Special Publication 800-12)

Plan of Our Study

Hours in this semester allocated to this course are: (Total Sessions: 57;

- 2 to 3 Introduction Sessions and overall view on all Modules;

- 2 sessions (exams);

- 6 sessions public vacations;

- Remaining sessions: 46+

Number of Pages in the study material is: 140+ pages

Start date: 99/99/9999; End Date: 99/99/9999 (19 weeks--3 sessions/week)

Access Control

A collection of mechanisms that work together to create a security architecture to protect the assets of the information system.

Concepts/methodologies/techniques

Effectiveness

Attacks

Telecommunications and Network Security

Telecommunications and Network Security discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.

Network architecture and design

Communication channels

Network components

Network attacks

Information Security Governance and Risk Management

Information Security Governance and Risk Management the identification of an organizations information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.

Security governance and policy

Information classification/ownership

Contractual agreements and procurement processes

Risk management concepts

Personnel security

Security education, training and awareness

Certification and accreditation

Software Development Security

Software Development Security refers to the controls that are included within systems and applications software and the steps used in their development.

Systems development life cycle (SDLC)

Application environment and security controls

Effectiveness and Application Security

Cryptography

Cryptography the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.

Encryption concepts

Digital signatures

Cryptanalytic attacks

Public Key Infrastructure (PKI)

Information hiding alternatives

Security Architecture and Design

Security Architecture and Design contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.

Fundamental concepts of security models

Capabilities of information systems (e.g. memory protection, virtualization)

Countermeasure principles

Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control)

Operations Security

Operations Security used to identify the controls over hardware, media and the operators with access privileges to any of these resources.

Resource protection

Incident response

Attack prevention and response

Patch and vulnerability management

Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery Planning addresses the preservation of the business in the face of major disruptions to normal business operations.

Business impact analysis

Recovery strategy

Disaster recovery process

Provide training

Legal, Regulations, Investigations and Compliance

Legal, Regulations, Investigations and Compliance addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.

Legal issues

Investigations

Forensic procedures

Compliance requirements/procedures

Physical (Environmental) Security

Physical (Environmental) Security addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprises resources and sensitive information.

Site/facility design considerations

Perimeter security

Internal security

Facilities security

Overview: Access Control

Access Control domain covers mechanisms by which a system grants or revokes the right to access data or perform an action on an information system. Access Control Systems include:

File Permissions, such as create, read, edit, or deleteon a file server.

Program permissions, such as the right to execute a program on an application server.

Data rights, such as the right to retrieve or update information in a database. CISSP candidates should fully understand access control concepts, methodology and their implementation within a centralized and decentralized environments across an organizations computing environment.

Key Areas of Knowledge: Access Control

A. Control Access by applying the following concepts/methodologies/techniques
A. Control Access by applying the following
concepts/methodologies/techniques

Policies

Types of Controls (preventive, corrective, etc.)

Techniques (e.g., non-discretionary and mandatory)

Identification and Authentication

Decentralized/distributed access control techniques

Authorization mechanisms

Logging and monitoring

Key Areas of Knowledge: Access Control

B. Understand Access Control Attacks
B. Understand Access Control Attacks

Threat modeling

Asset Valuation

Vulnerability analysis

Access aggregation

C. Access effectiveness of access controls
C. Access effectiveness of access controls

User entitlement

Access review and audit

D. Identity and access provisioning lifecycle (e.g. provisioning, review, revocation)
D. Identity and access provisioning lifecycle (e.g.
provisioning, review, revocation)

Overview: Telecommunications and Network Security

The Telecommunications and Network Security domain encompasses the structures, techniques, transport protocols, and security measures used to provide integrity, availability, confidentiality and authentication for transmissions over private and public communication networks. The candidate is expected to demonstrate an understanding of communications and network security at it relates to data communications in local area and wide area networks, remote access, internet/intranet/extranet configurations. Candidates should be knowledgeable with network equipment such as switches, bridges and routers, as well as networking protocols (e.g., TCP/IP, IPSec), and VPNs.

Key Areas of Knowledge: Telecommunications and Network Security

A. Understanding secure network architecture and design (e.g., IP and non-IP protocols, segmentation)
A. Understanding secure network architecture and
design (e.g., IP and non-IP protocols, segmentation)

OSI and TCP/IP models

IP Networking

Implications and multi-layer protocols

B. Securing network components
B. Securing network components

Hardware (e.g., modems, switches, routers, wireless access points)

Transmission media (e.g., wired, wireless, fiber)

Network access control devices (e.g., firewalls, proxies)

End-point security

Key Areas of Knowledge: Telecommunications and Network Security

C. Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN)
C. Establish secure communication channels (e.g.,
VPN, TLS/SSL, VLAN)

Voice (e.g., POTS, PBX, VOIP)

Multimedia collaboration (e.g., remote meeting technology, instant messaging)

Remote access (e.g., screen scraper, virtual application/desktop,

telecommuting)

Data Communications

virtual application/desktop, telecommuting) • Data Communications D. Understand network attacks (e.g., DDoS, spoofing)
virtual application/desktop, telecommuting) • Data Communications D. Understand network attacks (e.g., DDoS, spoofing)

D. Understand network attacks (e.g., DDoS, spoofing)

Overview: Information Security Governance & Risk

Management-1

The Information Security Governance and Risk Management domain entails the identification of an organizations information assets and the development, documentation, implementation and updating of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.

Overview: : Information Security Governance & Risk

Management-2

The candidate is expected to understand the planning, organization, roles and responsibilities of individuals in identifying and securing organizations information assets; the development and use of policies stating managements views and position on particular topics and the use of guidelines, standards, and procedures to support the policies; security training to make employees aware of the importance of information security, its significance, and the specific security- related requirements relative to their position; the importance of confidentiality, proprietary and private information; third party management and service level agreements, employment agreements, employee hiring and termination practices, and risk management practices and tools to identify, rate, and reduce the risk to specific resources.

Key Areas of Knowledge: : Information Security Governance & Risk Management-1

A. Understand and align security functions to goals, mission and objectives of the organization B.
A. Understand and align security functions to goals,
mission and objectives of the organization
B. Understand and apply security governance

Organizational processes (e.g., acquisitions, divestitures, governance committees)

Security Roles and responsibilities

Legislative and regulatory compliance

Control frameworks

Due care

Due Diligence

Key Areas of Knowledge: Information Security Governance & Risk Management-2

C. Understand and apply concepts of confidentiality, integrity and availability) D. Develop and implement security
C. Understand and apply concepts of confidentiality,
integrity and availability)
D. Develop and implement security policy

Security policies

Standards/baselines

Procedures

Guidelines

Documentation

E. Manage the information life cycle (e.g., classification, categorization, & ownership)
E. Manage the information life cycle (e.g.,
classification, categorization, & ownership)

Key Areas of Knowledge: Information Security Governance & Risk Management-3

F. Manage third party governance (e.g., on-site assessment, document exchange and review, process/policy review) G.
F. Manage third party governance (e.g., on-site
assessment, document exchange and review,
process/policy review)
G. Understand and apply risk management concepts

Identify threats and vulnerabilities

Risk Assessment/analysis (qualitative, quantitative, hybrid)

Risk Assignment/acceptance

Countermeasure selection

Tangible and intangible asset valuation

Key Areas of Knowledge: Information Security Governance & Risk Management-4

H.
H.
Manage personnel security
Manage personnel security

Employment candidate screening (e.g., reference checks, education verification)

Employment agreements and policies

Employee termination processes

Vendor, consultant and contractor controls

I. Develop and manage security education, training and awareness
I. Develop and manage security education, training
and awareness

Key Areas of Knowledge: Information Security Governance & Risk Management-5

J.
J.
Manage the security function
Manage the security function

Budget

Metrics

Resources

Develop and implement information security strategies

Assess the completeness and effectiveness of the security program

Overview: Software Development Security

Software Development Security domain refers to the controls that are included within systems and applications software and the steps used in their development (e.g., SDLC). Software refers to system software (operating systems) and application programs such as agents, applets, software, database, data warehouses, and knowledge- based systems. These applications may be used in distributed or centralized environments. The candidate should fully understand the security and controls of the systems development process, system life cycle, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability.

Key Areas of Knowledge: Software Development Security

A. Understand and apply security in the software development life cycle
A. Understand and apply security in the software
development life cycle

Develop Life Cycle

Maturity models

Operation and maintenance

Change management

Key Areas of Knowledge: Software Development Security

B.
B.
Understand the environment and security controls
Understand the environment and security controls

Security of the software environment

Security issues of the programming languages

Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor)

Configuration management

C. Assess the effectiveness of software security
C. Assess the effectiveness of software security

Certification and accreditation (i.e., system authorization)

Auditing and logging

Risk analysis and mitigation

Overview: Cryptography

The Cryptography domain addresses the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality, and authenticity. The candidate is expected to know basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications; construction and use of digital signatures to provide authenticity of electronic transactions, and non-repudiation of the parties involved; and the organization and management of the public key infrastructure (PKI) and digital certificates distribution and management.

Key Areas of Knowledge: Cryptography

A. Understand the application and use of cryptography
A. Understand the application and use of
cryptography

Data at rest (e.g., Hard Drive)

Data in transit (e.g., on the wire)

B. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)
B. Understand the cryptographic life cycle (e.g.,
cryptographic limitations, algorithm/protocol
governance)

Key Areas of Knowledge: Cryptography

Key Areas of Knowledge: Cryptography • Foundation Concepts • Symmetric cryptography • Asymmetric Cryptography •
Key Areas of Knowledge: Cryptography • Foundation Concepts • Symmetric cryptography • Asymmetric Cryptography •

Foundation Concepts

Symmetric cryptography

Asymmetric Cryptography

Hybrid cryptography

Message digest

Hashing

C. Understand encryption concepts

D. Understand key management processes
D. Understand key management processes

Creation/distribution

Storage/destruction

Recovery

Key escrow

Key Areas of Knowledge: Cryptography

E. Understand digital signatures F. Understand non-repudiation G. Understand methods of cryptanalytic attacks
E. Understand digital signatures
F. Understand non-repudiation
G. Understand methods of cryptanalytic attacks

Chosen plain-text

Social engineering for key discovery

Brute Force (e.g., rainbow tables, specialized/scalable architecture)

Cipher text only

Known plaintext

Frequency analysis

Chosen cipher-text

Implementation attacks

Key Areas of Knowledge: Cryptography

H. Use cryptography to maintain network security I. Use cryptography to maintain application security J.
H.
Use cryptography to maintain network security
I.
Use cryptography to maintain application security
J.
Understand Public Key Infrastructure (PKI)
K.
Understand certificate related issues
L.
Understand information hiding alternatives (e.g.,
steganography, watermarking)

Overview: Security Architecture & Design

The Security Architecture & Design domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability. Information security architecture and design covers the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organizations security processes, information security systems, personnel and organizational sub-units, so that these practices and processes align with the organizations core goals and strategic direction. Candidate is expected to understand security models in terms of confidentiality, integrity, data flow diagrams; Common Criteria protection profiles; technical platforms in terms of hardware, firmware, and software; and system security techniques in terms of preventive, detective, and corrective controls.

Key Areas of Knowledge: Security Architecture & Design

A. Understand the fundamental concepts of security models (e.g. Confidentiality, Integrity, and Multi- level Models)
A. Understand the fundamental concepts of security
models (e.g. Confidentiality, Integrity, and Multi-
level Models)
B. Understand the components of information systems
security evaluation models

Product evaluation models (e.g., common criteria)

Industry and international security implementation guidelines (e.g., PCI- DSS, ISO)

Key Areas of Knowledge: Security Architecture & Design

C. Understand Security capabilities of information systems (e.g., memory protection, virtualization, trusted platform
C. Understand Security capabilities of information
systems (e.g., memory protection, virtualization,
trusted platform module)
D. Understand the vulnerabilities of security
architectures

System (e.g., covert channels, state attacks, emanations)

Technology and process integration (e.g., single point of failure, service oriented architecture)

Key Areas of Knowledge: Security Architecture & Design

E.
E.
Understand digital signatures
Understand digital signatures

Web-based (e.g., XML, SAML, OWASP)

Client-based (e.g., applets)

Server-based (e.g., data flow control)

Database security (e.g., inference, aggregation, data mining, warehousing)

Distributed systems (e.g., cloud computing, grid computing, peer to peer)

F. Understand countermeasure principles (e.g., defense in depth)
F. Understand countermeasure principles (e.g.,
defense in depth)

Overview: Operations Security

The Operations Security domain is used to identify critical information and the

execution of selected measures that eliminate or reduce adversary exploitation of critical information. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools and facilities that permit the identification of security events and subsequent actions to identify the key

elements and report the pertinent information to the appropriate individual, group,

or process. The candidate is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms available, the potential for abuse of access, the appropriate controls, and the principles of good practice.

Key Areas of Knowledge: Operations Security

A. Understand security operations concepts
A. Understand security operations concepts

Need-to-know/least privilege

Separation of duties and responsibilities

Monitor special privileges (e.g., operators, administrators)

Job rotation

Marketing, handling, storing and destroying of sensitive information

Record retention

B. Employ resource protection
B. Employ resource protection

Media management

Asset management (e.g., equipment life cycle, software licensing)

Key Areas of Knowledge: Operations Security C. Manage Incident response

Knowledge: Operations Security C. Manage Incident response • Detection • Response • Reporting • Recovery

Detection

Response

Reporting

Recovery

Remediation and review (e.g., root cause analysis)

D. Implement preventative measures against attacks (e.g., malicious code, zero-day exploit, denial of service) E.
D. Implement preventative measures against attacks
(e.g., malicious code, zero-day exploit, denial of
service)
E. Implement and support patch and vulnerability

management

Key Areas of Knowledge: Operations Security

F. Understand change and configuration management (e.g., versioning, base lining) G. Understand system resilience and
F. Understand change and configuration management
(e.g., versioning, base lining)
G. Understand system resilience and fault tolerance
requirements

Overview: Business Continuity & Disaster Recovery Planning

The Business Continuity and Disaster Recovery Planning domain addresses

the preservation of the business in the face of major disruptions to normal business operations. BCP and DRP involve the preparation, testing and updating

of specific actions to protect critical business processes from the effect of major system and network failures. BCP helps identify the organizations exposure to internal and external threats:

synthesize hard and soft assets to provide effective prevention and recovery for

the organization, and maintains competitive advantage and value system integrity. BCP counteracts interruptions to business activities and should be available to protect critical business processes from the effects of major failures or disasters. It deals with the natural and man-made events and the consequences, if not dealt with promptly and effectively.

Overview: Business Continuity & Disaster Recovery Planning

Business Impact Analysis (BIA) determines the proportion of impact, an

individual business unit would sustain subsequent to a significant interruption of computing or telecommunication services. These impacts may be financial, in terms of monetary loss, or operational, in terms of inability to deliver. Disaster Recovery Plans (DRP) contain procedures for emergency response, extended backup operation and past-disaster recovery, should a computer

installation experience a partial or total loss of computer resources and physical

facilities. The primary objective of the disaster recovery plan is to provide the capability to process mission-essential applications, in a degraded mode, and return to normal mode of operation within a reasonable amount of time.

Overview: Business Continuity & Disaster Recovery Planning

The candidate is expected to know the difference between business continuity

planning and disaster recovery; business continuity planning in terms of project scope and planning, business impact analysis recovery strategies, recovery plan development, and implementation. Moreover, the candidate should understand disaster recovery in terms of recovery plan development, implementation and restoration.

Key Areas of Knowledge: Business Continuity & Disaster Recovery Planning

A. Understand Business Continuity requirements
A. Understand Business Continuity requirements

Develop and document project scope and plan

B. Conduct business impact analysis
B. Conduct business impact analysis

Identify and prioritize critical business functions

Determine maximum tolerable downtime and other criteria

Assess exposure to outages (e.g., local, regional, global)

Define recovery objectives

C. Develop a recovery strategy
C. Develop a recovery strategy

Implement a backup storage strategy (e.g., offsite storage, electronic vaulting, tape rotation)

Recovery site strategies

Key Areas of Knowledge: Business Continuity & Disaster Recovery Planning

D. Understand disaster recovery process
D. Understand disaster recovery process

Response

Personnel

Communications

Assessment

Restoration

Provide training

E. Exercise, assess and maintain the plan (e.g., version control, distribution)
E. Exercise, assess and maintain the plan (e.g., version
control, distribution)

Overview: Legal, Regulations, Investigations, and Compliance

The Legal, Regulations, Investigations and Compliance domain addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed, and methods used to gather evidence (e.g., forensics). A computer crime (as per the USA Law) is any illegal action where the data on a computer is accessed without permission. This domain also includes understanding the computer incident forensic response capability to identify the Advanced Persistent Threat (APT) that many organizations face today.

Key Areas of Knowledge: Legal, Regulations, investigations, and Compliance

A. Understand legal issues that pertain to information security internationally
A. Understand legal issues that pertain to information
security internationally

Computer crime

Licensing and intellectual property (e.g., copyright, trademark)

Import/export

Trans-border data flow

Privacy

B. Understand professional ethics
B. Understand professional ethics

(ISC)2 Code of Professional Ethics

Support organizations code of ethics

Key Areas of Knowledge: Legal, Regulations, investigations, and Compliance

C. Understand and support investigations
C. Understand and support investigations

Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope)

Incident handling and response

Evidence collection and handling (e.g., chain of custody, interviewing)

Reporting and documenting

D. Understand Forensics procedures
D. Understand Forensics procedures

Media analysis

Network analysis

Software analysis

Hardware/embedded device analysis

Key Areas of Knowledge: Legal, Regulations, investigations, and Compliance

E. Understand compliance requirements and procedures
E. Understand compliance requirements and
procedures

Regulatory environment

Audits

Reporting

F. Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor
F. Ensure security in contractual agreements and
procurement processes (e.g., cloud computing,
outsourcing, vendor governance)

Overview: Physical (Environmental) Security

The Physical (Environmental) Security domain addresses the threats,

vulnerabilities, and countermeasures that can be utilized to physically protect an

enterprises resources and sensitive information. These resources include people,

the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize. Physical security describes measures that are designed to deny access to unauthorized personnel (including attackers) from physically accessing a

building, facility, resource, or stored information; and guidance on how to design

structures to resist potentially hostile acts. The candidate is expected to know the elements involved in choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.

Key Areas of Knowledge: Physical (Environmental) Security

A. Understand site and facility design considerations B. Support the implementation and operation of perimeter
A. Understand site and facility design considerations
B. Support the implementation and operation of
perimeter security (e.g., physical access control and
monitoring, audit trails/access logs)
C. Support the implementation and operation of
internal security (e.g. escort requirements/visitor
control, key and locks)

Key Areas of Knowledge: Physical (Environmental) Security

D. Support the implementation and operation of facilities security (e.g., technology convergence)
D. Support the implementation and operation of
facilities security (e.g., technology convergence)

Communications and server rooms

Restricted and work area security

Data Center security

Utilities and heating, ventilation and air conditioning (HVAC) considerations

Water issues (e.g., leakage, flooding)

Fire Prevention, detection and suppression

E. Support the protection and securing of equipment
E. Support the protection and securing of equipment