Table of Contents (CISSP 2012 Edition)

Transcription

1 Table of Contents (CISSP 2012 Edition) CONTENT UPDATES... 6 ABOUT THIS BOOK... 7 NETWORK INFRASTRUCTURE, PROTOCOLS AND TECHNOLOGIES... 8 OPEN SYSTEM INTERCONNECT... 8 LAN NETWORKING...10 ROUTING AND SWITCHING...13 IP ADDRESSING...14 WIRELESS BASED LOCAL AREA NETWORKING...16 RFID...20 WAN NETWORKING AND ACCESS AGGREGATION...20 VOIP...23 CLOUD COMPUTING...23 ERP...25 SERVICE PACKS AND PATCHES...27 CAS AND OTHER SSO MECHANISMS...28 INFOCARD AND OPENID...28 OTP AND KYPS...29 DACS...29 SAML AND WS-SECURITY...30 OVAL...30 OPSEC...31 SPECIAL CONSIDERATIONS...31 WINDOWS, LINUX, NETWARE AND IPV WINDOWS NETWORKING...36 WINDOWS BASED WEB SERVICE...37 LINUX NETWORKING...38 NETWARE NETWORKING...39 TCP/IP SPECIFIC SECURITY RISKS...42 COMPUTER AND NETWORK SECURITY...50 SECURITY PLANNING...50 EQUIPMENTS AND DEVICES

2 POINTS OF FAILURE...53 MALWARE...54 VIRUSES AND WORMS...54 SPYWARE...55 TROJAN HORSE...55 KEYSTROKE LOGGER...56 SOFTWARE FLAWS...56 SNIFFING, EAVESDROPPING AND FOOTPRINTING...57 DOS AND DDOS...59 SOCIAL ENGINEERING...59 IDENTITY THEFT...60 BACKDOORS AND ROOTKITS...61 OTHER VULNERABILITIES...62 P3P...63 DATABASE SPECIFIC RISKS...63 CONCEALING HARD DISK DATA...65 CRYPTOGRAPHY...70 OVERVIEW...70 DES...70 IPSEC AND SSL...70 SYMMETRIC AND ASYMMETRIC ALGORITHMS...71 DIGITAL SIGNATURE...72 HASH FUNCTION...72 PGP...73 DISK BASED ENCRYPTION...73 EES...73 OPENSSL...74 OCSP AND CRL...75 SECURITY STRATEGIES...77 INFORMATION SECURITY BASELINES...77 POLICIES AND CONTROLS...77 INTERNAL PREVENTIVE CONTROLS VERSUS COMPENSATING CONTROLS...83 ORANGE BOOK...84 INTERNET SECURITY...85 FIREWALL SECURITY...86 VIRUS SECURITY...87 WEB SERVER SECURITY...87 NAME RESOLUTION SECURITY...88 MAIL SERVER SECURITY

3 RAS SERVER SECURITY...89 PROXY SERVER SECURITY...89 AUTHENTICATION SERVER SECURITY...90 IM SECURITY...90 INCIDENT RESPONSE...91 COVERT CHANNEL ANALYSIS...92 CHANGE CONTROL...93 PLANNING AND SCOPING OF THE ASSESSMENT OF RISK...95 METHODOLOGIES FOR PROPER ASSESSMENT OF RISK...96 INCIDENT MONITORING...98 CSIRT...99 OWNERSHIP & RESPONSIBILITY ACCOUNTS AND PASSWORD MANAGEMENT SECURITY AWARENESS TRAINING CONTINUITY AND DISASTER RECOVERY CONTINGENCY VS CONTINUITY DRP AND COOP BUSINESS IMPACT ANALYSIS BCP VS BCP (PLANNING VS PLAN) BCM, BCMT AND BCSC BCP AT THE DEPARTMENTAL LEVEL HAZARDOUS COMMUNICATION SITE ARRANGEMENT PREFABRICATED BUILDING AND TERTIARY LOCATION AN ACTIVE/ACTIVE MODEL TO RESOURCE REDUNDANCY REPLICATION, MIRRORING AND VAULTING SERVICE AGREEMENT DATA SYNCHRONIZATION CONCERN REMOTE ACCESS CONCERN SITE SECURITY SECURITY THEORIES AND ACCESS CONTROL MODELS DEFAULT DENY AND DEFAULT PERMIT TRUSTED SYSTEM VS UNTRUSTED SYSTEM THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM DEFENSE IN DEPTH MODELS ACLS VERSUS CAPABILITIES THE AAA CONCEPT RECOMMENDED ACCESS CONTROL MEASURES

4 PHYSICAL SECURITY FOR COMPUTER EQUIPMENTS GENERAL GUIDELINES PHYSICAL SITE PREPARATION AND MANAGEMENT FIRE PROTECTION MAINTENANCE AND TESTING EQUIPMENT AND MEDIA MANAGEMENT STANDARDS AND GUIDELINES THE ISC2 CODE OF ETHICS THE SARBANES OXLEY ACT AND THE COSO FRAMEWORK SOGP COMMON CRITERIA (CC) HIPAA OECD GUIDELINES CEI S COMMANDMENTS OF ETHICS COBIT ISO STANDARDS VAL IT ITAF FISMA OTHER STANDARDS ADVANCED SECURITY TOPICS ENDPOINT SECURITY SOFTWARE AS A SERVICE SECURITY VIRTUALIZATION SECURITY STORAGE SECURITY NAME RESOLUTION SECURITY INFORMATION SECURITY PLANNING, MANAGEMENT AND GOVERNANCE IT STRATEGIC PLANNING SWOT ANALYSIS IT OPERATIONS MANAGEMENT INFORMATION MANAGEMENT POLICY ENTERPRISE SECURITY ORGANIZATIONAL STRUCTURE AND SUPPORT SENIOR MANAGEMENT SUPPORT

5 INFORMATION SECURITY PROGRAM AND POLICY DEVELOPMENT FROM A STRATEGIC PERSPECTIVE IS GOVERNANCE HR AND SECURITY CONCERNS ON M & A CHANGE MANAGEMENT CHANGE MANAGEMENT VS CHANGE CONTROL CONFIGURATION MANAGEMENT PREPARING FOR EMERGENCY RESPONSE RESPONDING TO INCIDENTS AND MANAGING RECOVERY RISK MANAGEMENT THE INFOSEC ASSESSMENT METHODOLOGY (IAM) LOSS CALCULATIONS SECURITY SYSTEM DESIGN GENERAL GUIDELINES DEVELOPMENT MODELS AND FRAMEWORKS SOFTWARE TESTING THE RELEVANT BUSINESS AND LEGAL DISCIPLINES BUSINESS PROCESS REENGINEERING BALANCED SCORECARD OUTSOURCING QUOTATIONS AND TENDERS RFP LOI RFEI RFSQ SOURCE SELECTION PLAN VENDORS OF RECORD SERVICE LEVEL AGREEMENT, DISCLAIMER AND THE WARRANTY/LIABILITY TERMS INVESTIGATION COMPUTER FORENSICS