CISSP - Certified Information Systems Security Professional

Transcription

1 CISSP - Certified Information Systems Security Professional The primary goal of the CISSP program is to prepare students to display their knowledge in industry standards in the following areas: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Cryptography; Information and Security Risk Management; and Legal Regulations, Compliance, and Investigations. Computer, information and physical security are becoming more important at an exponential rate since the continual increase in computer crimes. The necessity for computer and information security has grown rapidly as web sites have been defaced. Denial of service attacks have increased, credit card information has been stolen, publicly available hacking tools have become more sophisticated and today s viruses and worms cause more damage than ever before. This section of the Security Program is dedicated to providing a foundation of the many different areas that make up effective security. It helps prepare students pursuing a career in Information Technology and provide the proper education to recognize all of the threats and dangers we are vulnerable to and the steps that must be taken to mitigate these vulnerabilities. Every Network Administrator and Engineer needs to be well versed in all areas of security. Companies have had to spend millions of dollars to clean up the effects of these issues and millions of dollars more to secure their perimeter and internal networks with equipment, software, consultants and education. But after September 11, 2001, the necessity and urgency for this type of security has taken on a new paradigm. It is slowly becoming apparent that governments, nations and societies are vulnerable to many different types of attacks that can happen over the network wire and airwaves. Societies depend heavily on all types of computing power and functionality, mostly provided by the public and private sectors. This means that although governments are responsible for protecting their citizens, it is becoming apparent that the citizens and their businesses must become more secure to protect the nation as a whole. The CISSP section of the program prepares IT managers and managers pursuing other career fields the vital task of becoming familiar with and up to date on today s security issues and challenges. This type of protection can really only begin through proper education and understanding and must continue with the dedicated execution of this knowledge. Course Outline MODULE 1 Becoming a CISSP Why Become a CISSP The CISSP exam CISSP: A Brief History How Do You Become a CISSP Recertification Requirements What Does This Book Cover 1

2 Tips for Taking the CISSP Exam MODULE 2 Security Trends How Security Became an Issue Areas of Security Benign to Scary Evidence of the Evolution of Hacking How Are Nations Affected? How Are Companies Affected? The U.S. Government s Action? So What Does This Mean to Us? Hacking and Attacking Management Internet and Web Activities Two-Tier Architecture Database Roles A Layered Approach An Architectural View A Layer Missed Bringing the Layers Togeth Politics and Laws MODULE 3 Information Security and Risk Management Security Management Security Management Responsibilities The Top-Down Approach to Security Security Administration and Supporting Controls Fundamental Principles of Security Security Definitions Security through Obscurity Organizational Security Model Security Program Components Business Requirements: Private Industry vs. Military Organizations Information Risk Management Who Really Understands Risk Management? Information Risk Management Policy The Risk Management Team The Risk Analysis The Risk Analysis Team The Value of Information and Assets Costs that Make Up the Value Identifying Threats Failure and Fault Analysis Quantitative Risk Analysis 2

3 Qualitative Risk Analysis Qualitative vs. Qualitative Protection Mechanisms Putting It Together Total Risk vs. Residual Risk Handling Risk Policies Standards, Baselines, Guidelines, and Procedures Security Policy Standards Baselines Guidelines Procedures Implementation Information Classification Private Business vs. Military Classifications Classification Controls Layers of Responsibility Who s Involved? The Data Owner The Data Custodian The System Owner The Security Administrator The Security Analyst The Application Owner The Supervisor The Change Control Analyst The Data Analyst The Process Owner The Solution Provider The User The Product Line Manager The Auditor Why So Many Roles? Personnel Structure Hiring Practices Employee Controls Termination Security-Awareness Training Different Types of Security-Awareness Training Evaluating the Program Specialized Security Training 3

4 MODULE 4 Access Control Access Controls Overview Security Principles Availability Integrity Confidentiality Identification, Authentication, Authorization, and Accountability o Identification and Authentication o Authorization Access Control Models o Discretionary Access Control o Mandatory Access Control o Role-Based Access Control Access Control Techniques and Technologies o Rule-Based Access Control o Constrained User Interfaces o Access Control Matrix o Content-Dependent Access Control o Context-Dependent Access Control Access Control Administration o Centralized Access Control Administration o Decentralized Access Control Administration o Access Control Methods o Access Control Layers Administrative Controls o Physical Controls o Technical Controls Access Control Types o Preventive: Administrative o Preventive: Physical o Preventive: Technical Accountability o Review of Audit Information o Keystroke Monitoring Protecting Audit Data and Log Information o Access Control Practices o Unauthorized Disclosure of Information Access Control Monitoring o Intrusion Detection o Intrusion Prevention Systems A Few Threats to Access Control o Dictionary Attack o Brute Force Attacks o Spoofing at Logon 4

5 MODULE 5 Security Architecture and Design Computer Architecture o The Central Processing Unit o Multiprocessing o Operating System Architecture o Process Activity o Memory Management o Memory Types o Virtual Memory o CPU Modes and Protection Rings o Operating System Architecture o Domains o Layering and Data Hiding o The Evolution of Terminology o Virtual Machines o Additional Storage Devices o Input/Output Device Management System Architecture o Defined Subsets of Subjects and Objects o Trusted Computing Base o Security Perimeter o Reference Monitor and Security Kernel o Security Policy o Least Privilege Security Models o State Machine Models o The Bell-LaPadula Model o The Biba Model o The Clark-Wilson Model o The Information Flow Model o The Noninterference Model o The Lattice Model o The Brewer and Nash Model o The Graham-Denning Model o The Harrison-Ruzzo-Ulman Model Security Modes of Operation Dedicated Security Mode SystemHighSecurity Mode Compartmented Security Mode Multilevel Security Mode Trust and Assurance o Systems Evaluation Methods Why Put a Product through Evaluation? The Orange Book 5

6 o The Orange Book and the Rainbow Series The Red Book o Information Technology Security Evaluation Criteria o Common Criteria o Certification vs. Accreditation Certification Accreditation o Open vs. Closed Systems Open Systems Closed Systems o Enterprise Architecture o A Few Threats to Review Maintenance Hooks Time-of Check/Time-of Use Attacks Buffer Overflows MODULE 6 Physical and Environmental Security Introduction and Physical Security The Planning Process o Crime Prevention through Environmental Design o Designing a Physical Security Program Protecting Assets o Internal Support Systems o Electric Power o Environmental Issues o Ventilation o Fire Prevention, Detection, and Suppression Perimeter Security o Facility Access Control o Personnel Access Controls o External Boundary Protection Mechanisms o Intrusion Detection Systems o Patrol Force and Guards o Dogs o Auditing Physical Access o Testing and Drills MODULE 7 Telecommunications and Network Security Open Systems Interconnection Reference Model o Protocol o Application Layer o Presentation Layer o Session Layer o Transport Layer o Network Layer o Data Link Layer o Physical Layer 6

7 o Functions and Protocols in the OSI Model o Tying the Layers Together TCP/IP o TCP o IP Addressing o IPv6 Types of Transmission o Analog and Digital o Asynchronous and Synchronous o Broadband and Baseband o LAN Networking Network Topology LAN Media Access Technologies Cabling Transmission Methods Media Access Technologies LAN Protocols MODULE 8 Cryptography The History of Cryptography Cryptography Definitions and Concepts o Kerckhoff s Principle o The Strength of the Cryptosystem o Services of Cryptosystems o One-Time Pad o Running and Concealment Ciphers o Steganography Governmental Involvement in Cryptography Types of Ciphers o Substitution Ciphers o Transposition Ciphers Methods of Encryption o Symmetric vs. Asymmetric Algorithms o Block and Stream Ciphers o Hybrid Encryption Methods Types of Symmetric Systems o Data Encryption Standard o Triple-DES o The Advanced Encryption Standard o International Data Encryption Algorithm o Blowfish o RC4 o RC5 o RC6 Types of Asymmetric Systems o The Diffie-Hellman Algorithm o RSA 7

8 o El Gamal o Elliptic Curve Cryptosystems o LUC o Knapsack o Zero Knowledge Proof o Message Integrity o The One-Way Hash o Various Hashing Algorithms o Attacks against One-Way Hash Functions o Digital Signatures o Digital Signature Standard Public Key Infrastructure o Certificate Authorities o Certificates o The Registration Authority o PKI Steps Key Management o Key Management Principles o Rules for Keys and Key Management Link Encryption vs. End-to-End Encryption Standards o Multipurpose Internet Mail Extension o Privacy-Enhanced Mail o Message Security Protocol o Pretty Good Privacy o Quantum Cryptography Internet Security o Start with the Basics Attacks o Cipher-Only Attack o Known-Plaintext Attacks o Chosen-Plaintext Attacks o Chosen-Ciphertext Attacks o Differential Cryptanalysis o Liner Cryptanalysis o Side-Channel Attacks o Replay Attacks o Algebraic Attacks o Analytic o Statistical MODULE 9 Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery o Business Continuity Steps o Making BCP Part of the Security Policy and Program o Project Initiation Business Continuity Planning Requirements 8

9 o Business Impact Analysis o Preventive Measures o Recovery Strategies o Business Process Recovery o Facility Recovery o Supply and Technology Recovery o The End-User Environment o Data Backup Alternatives o Electronic Backup Solutions o Choosing a Software Backup Facility o Insurance o Recovery and Restoration o Developing Goals for the Plans o Implementing Strategies o Testing and Revising the Plan o Maintaining the Plan MODULE 10 Legal, Regulations, Compliance, and Investigations The Many Facets of Cyberlaw The Crux of Computer Crime Laws Complexities in Cybercrime o Electronic Assets o The Evolution of Attacks o Different Countries o Types of Laws Intellectual Property Laws o Trade Secret o Copyright o Trademark o Patent o Internal Protection of Intellectual Property o Software Piracy o Laws, Directives, and Regulations o Employee Privacy Issues Liability and its Ramifications o Personal Information o Hacker Intrusion Investigations o Incident Response o Incident Response Procedures Computer Forensics and Proper Collection of Evidence o International Organization on Computer Evidence o Motive, Opportunity, and Means o Incident Investigators o The Forensics Investigation Process o What is Admissible in Court? o Surveillance, Search, and Seizure 9

10 o Interviewing and Interrogating o A Few Different Attack Types Routing Protocols Networking Devices o Repeaters o Bridges o Routers o Switches o Gateways o PBXs o Firewalls o Honeypot o Network Segregation and Isolation Networking Services and Protocols o Network Operating Systems o Domain Name Service o Network Information System o Directory Services o Lightweight Directory Access Protocol Network Address Translation o Intranets and Extranets o Metropolitan Area Networks Wide Area Networks o Telecommunications Evolution o Dedicated Links o WAN Technologies Remote Access o Dial-Up and RAS o ISDN o DSL o Cable Modems o VPN o Authentication Protocols o Remote Access Guidelines Wireless Technologies o Wireless Communications o WLAN Components o Wireless Standards o WAP o i-mode o Mobile Phone Security o War Driving for WLANs o Satellites o 3G Wireless Communication Rootkits o Spyware and Adware o Instant Messaging 10

11 Ethics o The Computer Ethics Institute o The Internet Architecture Board o Corporate Ethics Programs MODULE 11 Application Security Software s Importance Where Do We Place the Security? Different Environments Demand Different Security Environment vs. Application Complexity of Functionality Data Types, Format, and Length Implementation and Default Issues Failure States Database Management o Database Management Software o Database Models o Database Programming Interfaces o Relational Database Components o Integrity o Database Security Issues o Data Warehousing and Data Mining System Development o Management of Development o Life-Cycle Phases o Software Development Methods o Computer-Aided Software Engineering o Prototyping o Change Control o The Capability Maturity Model o Software Escrow Application Development Methodology o Object-Oriented Concepts o Data Modeling o Software Architecture o Data Structures o Cohesion and Coupling Distributed Computing o CORBA and ORBs o COM and DCOM o Enterprise JavaBeans o Object Linking and Embedding o Distributed Computing Environment Expert Systems and Knowledge-Based Systems Artificial Neural Networks Web Security o Vandalism 11

12 o Financial Fraud o Privileged Access o Theft of Transaction Information o Theft of Intellectual Property o Denial-of Service (DOS) Attacks o Create a Quality Assurance Process o Web Application Firewalls o Intrusion Prevention Systems o Implement SYN Proxies on the Firewall o Specific Threats for Web Environments Mobile Code Java ActiveX Malicious Software (Malware) Antivirus Software Spam Detection Anti-Malware Programs Patch Management o Step 1: Infrastructure o Step 2: Research o Step 3: Assess and Test o Step 4: Mitigation ( Rollback ) o Step 5: Deployment ( Rollout ) o Step 6: Validation, Reporting, and Logging o Limitations to Patching o Best Practices o Anything Else? o Attacks MODULE 12 Operations Security The Role of the Operations Department Administrative Management o Security and Network Personnel o Accountability o Clipping Levels 12