1

CISSP - Certified Information Systems Security Professional

The primary goal of the CISSP program is to prepare students to display their knowledge in industry standards in the following areas: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Cryptography; Information and Security Risk Management; and Legal Regulations, Compliance, and Investigations.

Computer, information and physical security are becoming more important at an exponential rate since the continual increase in computer crimes. The necessity for computer and information security has grown rapidly as web sites have been defaced. Denial of service attacks have increased, credit card information has been stolen, publicly available hacking tools have become more sophisticated and today’s viruses and worms cause more damage than ever before.

This section of the Security Program is dedicated to providing a foundation of the many different areas that make up effective security. It helps prepare students pursuing a career in Information Technology and provide the proper education to recognize all of the threats and dangers we are vulnerable to and the steps that must be taken to mitigate these vulnerabilities. Every Network Administrator and Engineer needs to be well versed in all areas of security.

Companies have had to spend millions of dollars to clean up the effects of these issues and millions of dollars more to secure their perimeter and internal networks with equipment, software, consultants and education. But after September 11, 2001, the necessity and urgency for this type of security has taken on a new paradigm. It is slowly becoming apparent that governments, nations and societies are vulnerable to many different types of attacks that can happen over the network wire and airwaves. Societies depend heavily on all types of computing power and functionality, mostly provided by the public and private sectors. This means that although governments are responsible for protecting their citizens, it is becoming apparent that the citizens and their businesses must become more secure to protect the nation as a whole. The CISSP section of the program prepares IT managers and managers pursuing other career fields the vital task of becoming familiar with and up to date on today’s security issues and challenges.

This type of protection can really only begin through proper education and understanding and must continue with the dedicated execution of this knowledge.

Course Outline

MODULE 1 Becoming a CISSP Why Become a CISSP The CISSP exam CISSP: A Brief History How Do You Become a CISSP Recertification Requirements What Does This Book Cover

2

Tips for Taking the CISSP Exam

MODULE 2 Security Trends How Security Became an Issue Areas of Security Benign to Scary Evidence of the Evolution of Hacking How Are Nations Affected? How Are Companies Affected? The U.S. Government’s Action? So What Does This Mean to Us? Hacking and Attacking Management Internet and Web Activities Two-Tier Architecture Database Roles A Layered Approach An Architectural View A Layer Missed Bringing the Layers Togeth Politics and Laws

MODULE 3 Information Security and Risk Management Security Management Security Management Responsibilities The Top-Down Approach to Security Security Administration and Supporting Controls Fundamental Principles of Security Security Definitions Security through Obscurity Organizational Security Model Security Program Components Business Requirements: Private Industry vs. Military Organizations Information Risk Management Who Really Understands Risk Management? Information Risk Management Policy The Risk Management Team The Risk Analysis The Risk Analysis Team The Value of Information and Assets Costs that Make Up the Value Identifying Threats Failure and Fault Analysis Quantitative Risk Analysis

3

Qualitative Risk Analysis Qualitative vs. Qualitative Protection Mechanisms Putting It Together Total Risk vs. Residual Risk Handling Risk Policies Standards, Baselines, Guidelines, and Procedures Security Policy Standards Baselines Guidelines Procedures Implementation Information Classification Private Business vs. Military Classifications Classification Controls Layers of Responsibility

Who’s Involved? The Data Owner The Data Custodian The System Owner The Security Administrator The Security Analyst The Application Owner The Supervisor The Change Control Analyst The Data Analyst The Process Owner The Solution Provider The User The Product Line Manager The Auditor Why So Many Roles? Personnel Structure Hiring Practices Employee Controls Termination Security-Awareness Training Different Types of Security-Awareness Training Evaluating the Program Specialized Security Training

4

MODULE 4 Access Control Access Controls Overview Security Principles

Availability Integrity Confidentiality Identification, Authentication, Authorization, and Accountability

o Identification and Authenticationo Authorization

Access Control Modelso Discretionary Access Controlo Mandatory Access Controlo Role-Based Access Control

Access Control Techniques and Technologieso Rule-Based Access Controlo Constrained User Interfaceso Access Control Matrixo Content-Dependent Access Controlo Context-Dependent Access Control

Access Control Administrationo Centralized Access Control Administrationo Decentralized Access Control Administrationo Access Control Methodso Access Control Layers

Administrative Controlso Physical Controlso Technical Controls

Access Control Typeso Preventive: Administrativeo Preventive: Physicalo Preventive: Technical

Accountabilityo Review of Audit Informationo Keystroke Monitoring

Protecting Audit Data and Log Informationo Access Control Practiceso Unauthorized Disclosure of Information

Access Control Monitoringo Intrusion Detectiono Intrusion Prevention Systems

A Few Threats to Access Controlo Dictionary Attacko Brute Force Attackso Spoofing at Logon

5

MODULE 5 Security Architecture and Design Computer Architecture

o The Central Processing Unito Multiprocessingo Operating System Architectureo Process Activityo Memory Managemento Memory Typeso Virtual Memoryo CPU Modes and Protection Ringso Operating System Architectureo Domainso Layering and Data Hidingo The Evolution of Terminologyo Virtual Machineso Additional Storage Deviceso Input/Output Device Management

System Architectureo Defined Subsets of Subjects and Objectso Trusted Computing Baseo Security Perimetero Reference Monitor and Security Kernelo Security Policyo Least Privilege

Security Modelso State Machine Modelso The Bell-LaPadula Modelo The Biba Modelo The Clark-Wilson Modelo The Information Flow Modelo The Noninterference Modelo The Lattice Modelo The Brewer and Nash Modelo The Graham-Denning Modelo The Harrison-Ruzzo-Ulman Model

Security Modes of Operation Dedicated Security Mode SystemHighSecurity Mode Compartmented Security Mode Multilevel Security Mode Trust and Assurance

o Systems Evaluation Methods Why Put a Product through Evaluation? The Orange Book

6

o The Orange Book and the Rainbow Series The Red Book

o Information Technology Security Evaluation Criteriao Common Criteriao Certification vs. Accreditation

Certification Accreditation

o Open vs. Closed Systems Open Systems Closed Systems

o Enterprise Architectureo A Few Threats to Review

Maintenance Hooks Time-of Check/Time-of –Use Attacks Buffer Overflows

MODULE 6 Physical and Environmental Security Introduction and Physical Security The Planning Process

o Crime Prevention through Environmental Designo Designing a Physical Security Program

Protecting Assetso Internal Support Systemso Electric Powero Environmental Issueso Ventilationo Fire Prevention, Detection, and Suppression

Perimeter Securityo Facility Access Controlo Personnel Access Controlso External Boundary Protection Mechanismso Intrusion Detection Systemso Patrol Force and Guardso Dogso Auditing Physical Accesso Testing and Drills

MODULE 7 Telecommunications and Network Security Open Systems Interconnection Reference Model

o Protocolo Application Layero Presentation Layero Session Layero Transport Layero Network Layero Data Link Layero Physical Layer

7

o Functions and Protocols in the OSI Modelo Tying the Layers Together

TCP/IPo TCPo IP Addressingo IPv6

Types of Transmissiono Analog and Digitalo Asynchronous and Synchronouso Broadband and Basebando LAN Networking

Network Topology LAN Media Access Technologies Cabling Transmission Methods Media Access Technologies LAN Protocols

MODULE 8 Cryptography The History of Cryptography Cryptography Definitions and Concepts

o Kerckhoff’s Principleo The Strength of the Cryptosystemo Services of Cryptosystemso One-Time Pado Running and Concealment Cipherso Steganography

Governmental Involvement in Cryptography Types of Ciphers

o Substitution Cipherso Transposition Ciphers

Methods of Encryptiono Symmetric vs. Asymmetric Algorithmso Block and Stream Cipherso Hybrid Encryption Methods

Types of Symmetric Systemso Data Encryption Standardo Triple-DESo The Advanced Encryption Standardo International Data Encryption Algorithmo Blowfisho RC4o RC5o RC6

Types of Asymmetric Systemso The Diffie-Hellman Algorithmo RSA

8

o El Gamalo Elliptic Curve Cryptosystemso LUCo Knapsacko Zero Knowledge Proofo Message Integrityo The One-Way Hasho Various Hashing Algorithmso Attacks against One-Way Hash Functionso Digital Signatureso Digital Signature Standard

Public Key Infrastructureo Certificate Authoritieso Certificateso The Registration Authorityo PKI Steps

Key Managemento Key Management Principleso Rules for Keys and Key Management

Link Encryption vs. End-to-End Encryption E-Mail Standards

o Multipurpose Internet Mail Extensiono Privacy-Enhanced Mailo Message Security Protocolo Pretty Good Privacyo Quantum Cryptography

Internet Securityo Start with the Basics

Attackso Cipher-Only Attacko Known-Plaintext Attackso Chosen-Plaintext Attackso Chosen-Ciphertext Attackso Differential Cryptanalysiso Liner Cryptanalysiso Side-Channel Attackso Replay Attackso Algebraic Attackso Analytico Statistical

MODULE 9 Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery

o Business Continuity Stepso Making BCP Part of the Security Policy and Programo Project Initiation

Business Continuity Planning Requirements

9

o Business Impact Analysiso Preventive Measureso Recovery Strategieso Business Process Recoveryo Facility Recoveryo Supply and Technology Recoveryo The End-User Environmento Data Backup Alternativeso Electronic Backup Solutionso Choosing a Software Backup Facilityo Insuranceo Recovery and Restorationo Developing Goals for the Planso Implementing Strategieso Testing and Revising the Plano Maintaining the Plan

MODULE 10 Legal, Regulations, Compliance, and Investigations The Many Facets of Cyberlaw The Crux of Computer Crime Laws Complexities in Cybercrime

o Electronic Assetso The Evolution of Attackso Different Countrieso Types of Laws

Intellectual Property Lawso Trade Secreto Copyrighto Trademarko Patento Internal Protection of Intellectual Propertyo Software Piracyo Laws, Directives, and Regulationso Employee Privacy Issues

Liability and its Ramificationso Personal Informationo Hacker Intrusion

Investigationso Incident Responseo Incident Response Procedures

Computer Forensics and Proper Collection of Evidenceo International Organization on Computer Evidenceo Motive, Opportunity, and Meanso Incident Investigatorso The Forensics Investigation Processo What is Admissible in Court?o Surveillance, Search, and Seizure

10

o Interviewing and Interrogatingo A Few Different Attack Types

Routing Protocols Networking Devices

o Repeaterso Bridgeso Routerso Switcheso Gatewayso PBXso Firewallso Honeypoto Network Segregation and Isolation

Networking Services and Protocolso Network Operating Systemso Domain Name Serviceo Network Information Systemo Directory Serviceso Lightweight Directory Access Protocol

Network Address Translationo Intranets and Extranetso Metropolitan Area Networks

Wide Area Networkso Telecommunications Evolutiono Dedicated Linkso WAN Technologies

Remote Accesso Dial-Up and RASo ISDNo DSLo Cable Modemso VPNo Authentication Protocolso Remote Access Guidelines

Wireless Technologieso Wireless Communicationso WLAN Componentso Wireless Standardso WAPo i-Modeo Mobile Phone Securityo War Driving for WLANso Satelliteso 3G Wireless Communication

Rootkitso Spyware and Adwareo Instant Messaging

11

Ethicso The Computer Ethics Instituteo The Internet Architecture Boardo Corporate Ethics Programs

MODULE 11 Application Security Software’s Importance Where Do We Place the Security? Different Environments Demand Different Security Environment vs. Application Complexity of Functionality Data Types, Format, and Length Implementation and Default Issues Failure States Database Management

o Database Management Softwareo Database Modelso Database Programming Interfaceso Relational Database Componentso Integrityo Database Security Issueso Data Warehousing and Data Mining

System Developmento Management of Developmento Life-Cycle Phaseso Software Development Methodso Computer-Aided Software Engineeringo Prototypingo Change Controlo The Capability Maturity Modelo Software Escrow

Application Development Methodologyo Object-Oriented Conceptso Data Modelingo Software Architectureo Data Structureso Cohesion and Coupling

Distributed Computingo CORBA and ORBso COM and DCOMo Enterprise JavaBeanso Object Linking and Embeddingo Distributed Computing Environment

Expert Systems and Knowledge-Based Systems Artificial Neural Networks Web Security

o Vandalism

12

o Financial Fraudo Privileged Accesso Theft of Transaction Informationo Theft of Intellectual Propertyo Denial-of Service (DOS) Attackso Create a Quality Assurance Processo Web Application Firewallso Intrusion Prevention Systemso Implement SYN Proxies on the Firewallo Specific Threats for Web Environments

Mobile Code Java ActiveX Malicious Software (Malware) Antivirus Software Spam Detection Anti-Malware Programs Patch Management

o Step 1: Infrastructureo Step 2: Researcho Step 3: Assess and Testo Step 4: Mitigation (“Rollback”)o Step 5: Deployment (“Rollout”)o Step 6: Validation, Reporting, and Loggingo Limitations to Patchingo Best Practiceso Anything Else?o Attacks

MODULE 12 Operations Security The Role of the Operations Department Administrative Management

o Security and Network Personnelo Accountabilityo Clipping Levels