Get Started. It's Free
or sign up with your email address
CISSP by Mind Map: CISSP

1. Security and Risk Management

1.1. Fundamental Principles of Security

1.1.1. Availability

1.1.2. Integrity

1.1.3. Confidentiality

1.1.4. Balanced Security

1.2. Security Definitions

1.2.1. threat agent

1.2.2. threat

1.2.3. vulnerability

1.2.4. risk

1.2.5. Asset

1.2.6. exposure

1.2.7. control

1.2.8. Safeguard

1.3. Control Types

1.3.1. Administrative

1.3.2. Technical

1.3.3. Physical

1.3.4. Functionalities Preventive Detective Corrective Deterrent Recovery Compensating

1.3.5. defense-in-depth

1.4. Security Framework

1.4.1. ISO/IEC 27000 Series

1.4.2. Entreprise Architecture Development NIST enterprise architecture framework Zachman Architecture Framework The Open Group Architecture Framework (TOGAF) Military-Oriented Architecture Frameworks Department of Defense Architecture Framework (DoDAF) Ministry of Defence Architecture Framework (MODAF) Enterprise Security Architecture Sherwood Applied Business Security Architecture (SABSA) Strategic Alignment Business Enablement Process Enhancement Security Effectiveness Enterprise vs. System Architectures

1.4.3. Security Controls Development Control Objectives for Information and related Technology (COBIT) NIST SP 800-53 COSO Internal Control—Integrated Framework Process Management Development ITIL (formerly the Information Technology Infrastructure Library) Six Sigma Capability Maturity Model Integration (CMMI)

1.4.4. Functionality vs Security

1.5. The Crux Of Computer Crime Laws

1.5.1. computer-assisted crime

1.5.2. computer-targeted crime

1.5.3. computer is incidental

1.6. Complexities in Cybercrime

1.6.1. Electronic Assets

1.6.2. The Evolution of Attacks advanced persistent threat (APT). Internet Relay Chat (IRC)

1.6.3. International Issues Council of Europe (CoE) Convention on Cybercrime Organisation for Economic Co-operation and Development (OECD) European Union Principles on Privacy Safe Harbor Privacy Principles Import/Export Legal Requirements Wassenaar Arrangement cryptographic import restrictions

1.6.4. Types of Legal Systems Civil (Code) Law System Common Law System Customary Law System Religious Law System Mixed Law System

1.7. Intellectual Property Laws

1.7.1. Trade Secret

1.7.2. Copyright law

1.7.3. Trademark

1.7.4. Patent

1.7.5. Software Piracy

1.8. Privacy

1.8.1. The Increasing Need for Privacy Laws

1.8.2. Laws, Directives, and Regulations Federal Privacy Act of 1974 Federal Information Security Management Act of 2002 Department of Veterans Affairs Information Security Protection Act Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act USA PATRIOT Act Gramm-Leach-Bliley Act (GLBA) Personal Information Protection and Electronic Documents Act Payment Card Industry Data Security Standard (PCI DSS)

1.8.3. Employee Privacy Issues

1.9. Data Breaches

1.9.1. US Laws Pertaining to data Breaches HIPAA HITECH Act GLBA Economic Espionage Act of 1996 State Laws

1.9.2. Other Nation's Laws Pertaining to Data Breaches European Union Other Countries

1.10. Policies, standards, Baselines, Guidelines, and Procedures

1.10.1. Security Policies

1.10.2. Standards

1.10.3. Baselines

1.10.4. Guidelines

1.10.5. Procedures

1.10.6. Implementations

1.11. Risk Management

1.11.1. Holistic Risk Management

1.11.2. Information Systems Risk Management Policy

1.11.3. The risk management Team

1.11.4. The risk management process

1.12. Threat Modeling

1.12.1. Vulnerabilities Information Data at rest Data in motion Data in use Processes People Social engineering Social networks Passwords

1.12.2. Threats

1.12.3. Attacks

1.12.4. Reduction Analysis

1.13. Risk Assessment and Analysis

1.13.1. Risk Assessment and Analysis Team

1.13.2. The value of Information and Assets

1.13.3. Costs that make up the value

1.13.4. Identifying vulnerabilities and threats

1.13.5. Methodology of Risk Assessment NIST FRAP OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) AS/NZS 4360 Failure Modes and Effect Analysis (FMEA) CRAMM (Central Computing and Telecommunications Agency Risk Analysis and Management Method)

1.13.6. Risk Analysis Approaches quantitative risk analysis qualitative risk analysis Steps of a Quantitative Risk Analysis single loss expectancy (SLE) annual loss expectancy (ALE). exposure factor (EF)

1.13.7. Qualitative Risk Analysis

1.13.8. Protection Mechanisms Control Selection Functionality and Effectiveness of Countermeasures

1.13.9. Putting It Together

1.13.10. Total risk vs Residual risk Handling Risk

1.13.11. Outsourcing

1.14. Risk Management Framework

1.14.1. Categorize information System

1.14.2. Select Security Controls

1.14.3. Implement Security Controls

1.14.4. Assess Security Controls

1.14.5. Authorize Information System

1.14.6. Monitor Security Controls

1.15. Business Continuity and Disaster Recovery

1.15.1. Standard and Best Practices

1.15.2. Making BCM Part of the Entreprise Security Program

1.15.3. BCP Project Components Scope of the Project BCP Policy Project Management Business Continuity Planning Requirements Business Impact Analysis (BIA) Risk Assessment Risk Assessment Evaluation and Process Assigning Values to Assets Interdependencies

1.16. Personnel Security

1.16.1. Hiring Practices

1.16.2. Termination

1.16.3. Security-Awareness Training

1.16.4. Degree or Certification?

1.17. Security Governance

1.17.1. Metrics

1.18. Ethics

1.18.1. The computer ethics institute

1.18.2. The internet architecture board

1.18.3. Corporate ethics programs

1.19. Summary

2. Asset Security

2.1. Information Life Cycle

2.1.1. Acquisition

2.1.2. Use

2.1.3. Archival

2.1.4. Disposal

2.2. Information Classification

2.2.1. Classifications Levels

2.2.2. Classifications Controls

2.3. Layers of Responsability

2.3.1. Executive Management chief executive officer (CEO) chief financial officer (CFO) chief information officer (CIO) chief privacy officer (CPO) chief security officer (CSO)

2.3.2. Data Owner

2.3.3. Data Custodian

2.3.4. System Owner

2.3.5. Security Administrator

2.3.6. Supervisor

2.3.7. Change Control Analyst

2.3.8. Data Analyst

2.3.9. User

2.3.10. Auditor

2.3.11. Why so many roles

2.4. Retention Policies

2.4.1. Developing a Retention Policy How We Retain How Long We Retain What Data We Retain

2.5. Protecting Privacy

2.5.1. Data Owners

2.5.2. Data Processers

2.5.3. Data Remanence

2.5.4. Limits on Collection

2.6. Protecting Assets

2.6.1. Data Security Controls Data at Rest Data in motion Data in use

2.6.2. Media Controls

2.7. Data Leakage

2.7.1. Data Leak Prevention Data leak prevention (DLP) Data Inventories Data Flows Data Data Protection Strategy DLP Resiliency Network DLP (NDLP) Endpoint DLP (EDLP) Hybrid DLP

2.8. Protecting Other Assets

2.8.1. Protecting Mobile Devices

2.8.2. Paper Records

2.8.3. Safes

2.9. Summary

3. Security Engineering

3.1. System Architecture

3.2. Computer Architecture

3.2.1. The Central Processing Unit arithmetic logic unit (ALU). General registers Special registers (dedicated registers) program counter register program status word (PSW) address bus fetch request data bus

3.2.2. Multiprocessing symmetric mode asymmetric mode

3.2.3. Memory Types Random access memory (RAM) dynamic RAM (DRAM) Static RAM (SRAM) Read-only memory (ROM) Programmable read-only memory (PROM) Erasable programmable read-only memory (EPROM) Flash memory Cache memory Memory Mapping buffer overflow Memory Protection Techniques Memory Leaks

3.3. Operating Systems

3.3.1. Process Management Memory Stacks Thread Management Process Scheduling Process Activity

3.3.2. Memory Management Virtual Memory

3.3.3. Input/Output Device Management Interrupts Programmable I/O Interrupt-Driven I/O I/O Using DMA Premapped I/O Fully Mapped I/O

3.3.4. CPU Architecture Integration

3.3.5. Operation System Architectures

3.3.6. Virtual Machines

3.4. Systems Security Architecture

3.4.1. Security Policy

3.4.2. Security Architecture Requirements trusted computing base (TCB) Security Perimeter Reference Monitor security kernel

3.5. Security Models

3.5.1. Bell-LaPadula Model

3.5.2. Biba Model

3.5.3. Clark-Wilson Model

3.5.4. NonInterference Model

3.5.5. Brewer and Nash Model

3.5.6. Graham-Denning Model

3.5.7. Harrison-Ruzzo-Ullman Model

3.6. Systems Evaluation

3.6.1. Common Criteria

3.6.2. Why put a product though evaluation

3.7. Certification vs. Accreditation

3.7.1. Certification

3.7.2. Accreditation

3.8. Open vs Closed Systems

3.8.1. Open Systems

3.8.2. Closed Systems

3.9. Distributed system security

3.9.1. Cloud Computing

3.9.2. Parallel Computing

3.9.3. Databases

3.9.4. Web Applications

3.9.5. Mobile Devices

3.9.6. Cyber-Physical Systems Embedded Systems Internet of Things Industrial control systems (ICS) Programmable logic controllers (PLCs) distributed control system (DCS) supervisory control and data acquisition (SCADA) ICS Security

3.10. A few Threats to Review

3.10.1. Maintenance Hooks

3.10.2. Time-of-check/Time-of-use Attacks

3.11. Cryptography in Context

3.11.1. The history of cryptography scytale cipher Caesar cipher polyalphabetic substitution cipher for Henry III rotor cipher machine Lucifer, Cryptanalysis

3.12. Cryptography Definitions and Consepts

3.12.1. Kerckhoff's Principle

3.12.2. The strength of the cryptosystem

3.12.3. Services of cryptosystems

3.12.4. One-time Pad

3.12.5. Running and Concealment cipher

3.12.6. Steganography

3.13. Types of Ciphers

3.13.1. Substitution Ciphers

3.13.2. Transposition Cipher

3.14. Methods of Encryption

3.14.1. Certificate Authorities

3.14.2. Symmetric vs Asymmetric Algorithms Symmetric Cryptography Asymmetric Cryptography

3.14.3. Block and Stream cipher Block Ciphers A stream cipher

3.14.4. Hybrid Encryption Methods Asymmetric and Symmetric Algorithms Used Together Session Keys

3.15. Types of Symmetrics Systems

3.15.1. Data Encryption Standard Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR)


3.15.3. Advanced Encryption Standard

3.15.4. Inrternational Data Encryption Algorithm

3.15.5. Blowfish

3.15.6. RC4

3.15.7. RC5

3.15.8. RC6

3.16. Types of Asymmetric Systems

3.16.1. Diffie-Hellman Algorithm

3.16.2. RSA Diving into Numbers one-way function

3.16.3. El Gamal

3.16.4. Elliptic Curve Cryptosystems

3.16.5. Knapsack

3.16.6. Zero Knowledge Proof

3.17. Message Integrity

3.17.1. The One-Way Hash HMAC Cipher Block Chaining Message Authentication Code (CBC-MAC)

3.17.2. Various Hashing Algorithm

3.17.3. MD4

3.17.4. MD5

3.17.5. SHA

3.17.6. Attacks against One-way Hash Functions

3.17.7. Digital Signature

3.17.8. Digital Signature standard

3.18. Public Key Infrastructure

3.18.1. Certificates

3.18.2. The Registration Authority

3.18.3. PKI Steps

3.19. Key management

3.19.1. Key Management Principles

3.19.2. Rules for Keys and Key Management

3.20. Trusted Platform Module

3.20.1. TPM Uses

3.21. Attacks on Cryptography

3.21.1. Ciphertext-Only Attacks

3.21.2. Know-Plaintext Attacks

3.21.3. Chosen-Plaintext Attacks

3.21.4. Chosen-Ciphertext Attacks

3.21.5. Differential Cryptanalysis

3.21.6. Linear Cryptanalysis

3.21.7. Side-channel Attacks

3.21.8. Replay Attacks

3.21.9. Algebraic Attacks

3.21.10. Analytic Attacks

3.21.11. Statistical Attacks

3.21.12. Social Engineering Attacks

3.21.13. Meet-in-the Middle Attacks

3.22. Site and Facility Security

3.23. The Site Planning Process

3.23.1. Crime Prevention Through Environmental Design Natural access control Natural Surveillance Natural Territorial Reinforcement

3.23.2. Designing a Physical Security Program Facility Construction Internal Compartments Computer and Equipment Rooms

3.24. Protecting Assets

3.24.1. Protecting Mobile Devices

3.24.2. Using Safes

3.25. Internal Support Systems

3.25.1. Electric Power

3.25.2. Environmental Issues

3.25.3. Fire Prevention, Detection, and Suppression

4. Identity and Access Management

4.1. Security Principles

4.1.1. Availability

4.1.2. Integrity

4.1.3. Confidentiality

4.2. Identification, Authentication, Authorization, and Accountability

4.2.1. Identification and Authentication Identity management Directories Web access management (WAM)

4.2.2. Authentication Password Management • Password synchronization • Self-service password reset • Assisted password reset Legacy Single Sign-On Account management Provisioning Authoritative System of Record User provisioning Profile Update Biometrics Fingerprint Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keystroke Dynamics Voice Print Facial Scan Hand Topography Passwords Password Policies Password Checkers Password Hashing and Encryption Password Aging Limit Logon Attempts Cognitive passwords one-time password (OTP) The token device Synchronous Asynchronous Cryptographic Keys Passphrase Memory Cards Smart Card contact smart card contactless smart card Smart Card Attacks

4.2.3. Authorization Access Criteria Role Groups Physical or logical location Time of day Transaction-type restrictions Default to No Access need-to-know principle Authorization Creep Single Sign-On

4.2.4. Federation Web portal portlets Access Control and Markup Languages XML Service Provisioning Markup Language (SPML) Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML) OpenID OAuth

4.2.5. Identity as a Service

4.2.6. Integrating Identity Services Establishing Connectivity Establishing Trust Incremental Testing

4.3. Access Control Models

4.3.1. Discretionary Access Control

4.3.2. Mandatory Access Control Sensitivity Labels

4.3.3. Role-Based Access Control Core RBAC Hierarchical RBAC Static Separation of Duty (SSD) Relations through RBAC Dynamic Separation of Duties (DSD) Relations through RBAC

4.3.4. Rule-Based Access Control

4.4. Acces Control Techniques and Technologies

4.4.1. Constrained User Interfaces

4.4.2. Access Control Matrix Capability Table Access control lists (ACLs) Content-Dependent Access Control

4.4.3. Content-Dependent Access Control

4.5. Access Control Administration

4.5.1. Centralized Access Control Administration Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS) Diameter

4.5.2. Decentralized Access Control Administration

4.6. Access Control Methods

4.6.1. Access Control Layers

4.6.2. Administrative Controls Personnel controls Supervisory Structure Security-Awareness Training Testing

4.6.3. Physical Controls Network segregation Perimeter Security Computer Controls Cabling Control Zone

4.6.4. Technical Controls System Access Network Architecture Network Access Encryption and protocols Auditing

4.7. Accountability

4.7.1. Review of Audit Information

4.7.2. Protecting Audit Data and Log Information

4.7.3. Keystroke Monitoring

4.8. Access Control Practices

4.8.1. Unauthorized Disclosure of Information Object reuse Emanation Security TEMPEST White Noise Control Zone

4.9. Access Control Monitoring

4.9.1. Intrusion Detection Systems network-based IDS (NIDS) Signature-based Anomaly-based host-based IDS (HIDS) Signature-based Anomaly-based Knowledge- or Signature-Based Intrusion Detection State-Based IDSs statistical anomaly–based IDS Protocol Anomaly–Based IDS Traffic Anomaly–Based IDS rule-based IDS IDS Sensors Network Traffic

4.9.2. Intrusion Prevention Systems Honeypot Network Sniffers

4.10. Threats to Access Control

4.10.1. Dictionary Attack Countermeasures

4.10.2. Brute-Force Attacks Countermeasures

4.10.3. Spoofing at Logon

4.10.4. Phishing and Pharming

5. Security Assessment and Testing

5.1. Audit Strategies

5.1.1. Internal Audits

5.1.2. Third-Party Audits Service organizations

5.2. Auditing Technical Controls

5.2.1. Vulnerability Testing Personnel testing Physical testing System and network testing

5.2.2. Penetration Testing

5.2.3. War Dialing

5.2.4. Other Vulnerability Types Kernel flaws Buffer overflows Symbolic links File descriptor attacks Race conditions File and directory permissions

5.2.5. Postmortem

5.2.6. Log Reviews

5.2.7. Synthetic Transactions

5.2.8. Misuse Case Testing

5.2.9. Code Reviews

5.2.10. Interface Testing

5.3. Auditing Administrative Controls

5.3.1. Account Management Adding Accounts Modifying Accounts Suspending Accounts

5.3.2. Backup Verification Types of Data User Data Files Databases Mailbox Data

5.3.3. Disaster Recovery and Business Continuity Testing and Revising the Business Continuity Plan Checklist Test Structured Walk-Through Test Simulation Test Parallel Test Full-Interruption Test Other Types of Training Emergency Response Maintaining the Plan BCP Life Cycle

5.3.4. Security Training and Security Awareness Training Social engineering Pretexting Online Safety Data Protection Culture

5.3.5. Key Performance and Risk Indicators Key Performance Indicators Key Risk Indicators

5.4. Reporting

5.4.1. Technical Reporting

5.4.2. Executive Summaries

5.5. Management Review

5.5.1. Before the Management Review

5.5.2. Reviewing Inputs

5.5.3. Management Actions

6. Communication and Network Security

6.1. Telecommunications

6.2. Open Systems Interconnexion Reference Model

6.2.1. Protocol

6.2.2. Application Layer .

6.2.3. Presentation Layer .

6.2.4. Session Layer

6.2.5. Transport Layer

6.2.6. Network Layer

6.2.7. Data Link Layer

6.2.8. Physical Layer

6.2.9. Functions and Protocols in the OSI Model Application Presentation Session Transport Network Data Link Physical

6.2.10. Tying the Layers Together

6.2.11. Multilayer Protocols Distributed Network Protocol 3 (DNP3) Controller Area Network bus (CAN bus)

6.3. TCP IP MOdel

6.3.1. TCP TCP Handshake

6.3.2. IP Addressing

6.3.3. IPv6

6.3.4. Layer 2 Security Standards 802.1AE IEEE 802.1AR standard

6.3.5. Converged Protocols

6.4. Types Of Transmission

6.4.1. Analog and Digital

6.4.2. Asynchronous and Synchronous

6.4.3. Broadband and Baseband

6.5. Cabling

6.5.1. Coaxial Cable

6.5.2. Twisted-Pair Cable

6.5.3. Fiber-Optic Cable

6.5.4. Cabling Problems Noise Attenuation Crosstalk Fire Rating of Cables

6.6. Network Foundations

6.6.1. Network Topology ring topology bus topology star topology mesh topology

6.6.2. Media Access Technologies local area network (LAN) Token Passing CSMA Collision Domains Polling Ethernet Token Ring Fiber Distributed Data Interface (FDDI) technology

6.6.3. Transmission Methods

6.6.4. Network Protocols and Services Address Resolution Protocol Dynamic Host Configuration Protocol Internet Control Message Protocol (ICMP) Attacks Using ICMP Simple Network Management Protocol (SNMP)

6.6.5. Domain Name Service Internet DNS and Domains DNS threats Domain Name Registration Issues

6.6.6. E-mail Services Post Office Protocol (POP) Internet Message Access Protocol (IMAP) E-mail Authorization E-mail Relaying E-mail Threats

6.6.7. Network Address Translation

6.6.8. Routing Protocols Dynamic vs. Static Distance-Vector vs. Link-State Interior Routing Protocols Exterior Routing Protocols Routing Protocol Attacks

6.7. Networking devices

6.7.1. Repeaters

6.7.2. Bridges

6.7.3. Routers

6.7.4. Switches Layer 3 and 4 Switches VLANs

6.7.5. Gateways

6.7.6. PBXs

6.7.7. Firewalls Packet filtering stateful firewall proxy firewall Dynamic Packet-Filtering Firewalls kernel proxy firewall next-generation firewall (NGFW) Firewall Architecture Dual-Homed Firewall screened host screened-subnet architecture Virtualized Firewalls The “Shoulds” of Firewalls

6.7.8. Proxy Servers

6.7.9. Honeypot

6.7.10. Unified Threat Management

6.7.11. Content Distribution Networks

6.7.12. Software Defined Networking Control and Forwarding Planes Approaches to SDN

6.8. Intranets and Extranets

6.9. Metropolitan Area Networks

6.9.1. Metro Ethernet

6.10. Wide Area Network

6.10.1. Telecommunications Evolution

6.10.2. Dedicated Links T-carriers E-carriers Optical Carrier

6.10.3. WAN Technologies channel service unit/data service unit (CSU/DSU) Switching Frame Relay Virtual Circuits X.25 Asynchronous Transfer Mode (ATM) Quality of Service (QoS) Synchronous Data Link Control (SDLC) High-level Data Link Control (HDLC) Point-to-Point Protocol (PPP) High-Speed Serial Interface (HSSI) Multiservice access technologies H.323 Gateways Digging Deeper into SIP IP Telephony Issues

6.11. Remote Connectivity

6.11.1. Dial-up Connections

6.11.2. ISDN

6.11.3. DSL

6.11.4. Cable Modems

6.11.5. VPN Point-To-Point Tunneling Protocol Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security IPSec Transport Layer Security (TLS),

6.11.6. Authentication Protocols

6.12. Wireless Network

6.12.1. Wireless Communications Techniques Spread spectrum Frequency Hopping Spread Spectrum Frequency hopping spread spectrum (FHSS) Direct sequence spread spectrum (DSSS) orthogonal frequency-division multiplexing (OFDM).

6.12.2. WLAN Components

6.12.3. Evolution of WLAN Security IEEE Standard 802.11 IEEE Standard 802.11i IEEE Standard 802.1X

6.12.4. Wireless Standards 802.11b 802.11a 802.11e 802.11f 802.11g 802.11h 802.11j 802.11n 802.11ac 802.16 802.15.4 Bluetooth Wireless

6.12.5. Best Practices for Securing WLANs

6.12.6. Satellites

6.12.7. Mobile Wireless Communication

6.13. Network Encryption

6.13.1. Link Encryption vs. End-to-End Encryption

6.13.2. E-mail Encryption Standards Multipurpose Internet Mail Extensions (MIME) Pretty Good Privacy (PGP)

6.13.3. Internet Security Start with the Basics HTTP HTTP Secure HTTP Secure (HTTPS) Secure Sockets Layer Secure Sockets Layer (SSL) Transport Layer Security SSL Cookies Secure Shell Secure Shell (SSH)

6.14. Network Attacks

6.14.1. Denial of Service Malformed Packets Flooding distributed denial-of-service (DDoS) Ransomware

6.14.2. Sniffing

6.14.3. DNS Hijacking

6.14.4. Drive-by Download

7. Security Operations

7.1. The Role of the Operations Department

7.2. Administrative Management

7.2.1. Security and Network Personnel

7.2.2. Accountability

7.2.3. Clipping Levels

7.3. Assurance Levels

7.4. Operational Responsibilities

7.4.1. Unusual or Unexplained Occurrences

7.4.2. Deviations from Standards

7.4.3. Unscheduled Initial Program Loads (aka Rebooting)

7.5. Configuration Management

7.5.1. Trusted Recovery After a System Crash Security Concerns

7.5.2. Input and Output Controls

7.5.3. System Hardening

7.5.4. Remote Access Security

7.6. Physical Security

7.6.1. Facility Access Control Locks Mechanical Locks Device Locks Administrative Responsibilities

7.6.2. Personnel Access Controls

7.6.3. External Boundary Protection Mechanisms Fencing Bollards Lighting Surveillance Devices Visual Recording Devices

7.6.4. Intrusion Detection Systems Electromechanical systems photoelectric system passive infrared (PIR) system acoustical detection system Wave-pattern motion detectors proximity detector

7.6.5. Patrol Force and Guards

7.6.6. Dogs

7.6.7. Auditing Physical Access

7.7. Service Resource Provisioning

7.7.1. Asset Inventory Tracking Hardware Tracking Software

7.7.2. Configuration Management Change Control Process Change Control Documentation

7.7.3. Provisioning Cloud Assets

7.8. Network and Resource Availability

7.8.1. Mean Time Between Failures

7.8.2. Mean Time to Repair

7.8.3. Single Points of Failure Redundant array of independent disks (RAID Direct access storage device (DASD) Massive Array of Inactive Disks Redundant array of independent tapes (RAIT) Storage Area Networks Clustering Grid computing

7.8.4. Backups Hierarchical Storage Management

7.8.5. Contingency Planning

7.9. Preventive Measures

7.9.1. Firewalls

7.9.2. Intrusion Detection and Prevention Systems

7.9.3. Antimalware

7.9.4. Patch Management Unmanaged Patching Centralized Patch Management Reverse Engineering Patches Sandboxing

7.9.5. Honeypots

7.10. The Incident Management Process

7.10.1. Detection

7.10.2. Response

7.10.3. Mitigation

7.10.4. Reporting

7.10.5. Recovery

7.10.6. Remediation

7.11. Disaster Recovery

7.11.1. Business Process Recovery

7.11.2. Facility Recovery Hot site Warm site Cold site Tertiary Sites Redundant Sites

7.11.3. Supply and Technology Recovery Hardware Backups Software Backups

7.11.4. Choosing a Software Backup Facility Documentation Human Resources End-User Environment

7.11.5. Data Backup Alternatives

7.11.6. Electronic Backup Solutions

7.11.7. High Availability

7.12. Insurance

7.13. Recovery and Restoration

7.13.1. Developing Goals for the Plans

7.13.2. Implementing Strategies Investigations

7.14. Investigations

7.14.1. Computer Forensics and Proper Collection of Evidence

7.14.2. Motive, Opportunity, and Means

7.14.3. Computer Criminal Behavior

7.14.4. Incident Investigators

7.14.5. The Forensic Investigation Process

7.14.6. What Is Admissible in Court?

7.14.7. Surveillance, Search, and Seizure

7.14.8. Interviewing Suspects

7.15. Liability and its Ramifications

7.15.1. Liability Scenarios Personal Information Hacker Intrusion

7.15.2. Third-Party Risk

7.15.3. Contractual Agreements

7.15.4. Procurement and Vendor Processes

7.16. Compliance

7.17. Personal safety Concerns

8. Software Development Security

8.1. Building Good Code

8.2. Where do we place Security

8.2.1. Different Environments Demand Different Security

8.2.2. Environment vs. Application

8.2.3. Functionality vs. Security

8.2.4. Implementation and Default Issues

8.3. Software Development Lifecycle

8.3.1. Project Management

8.3.2. Requirements Gathering Phase

8.3.3. Design Phase

8.3.4. Development Phase

8.3.5. Testing/Validation Phase Testing Types

8.3.6. Release/Maintenance Phase

8.4. Secure Software Development Best Practices

8.5. Software Development Models

8.5.1. Build and Fix Model

8.5.2. Waterfall Model

8.5.3. V-Shaped Model (V-Model)

8.5.4. Prototyping Rapid prototyping evolutionary prototypes operational prototypes

8.5.5. Incremental Model

8.5.6. Spiral Model

8.5.7. Rapid Application Development

8.5.8. Agile Models

8.5.9. Scrum

8.5.10. Extreme Programming

8.5.11. Kanban

8.5.12. Other Models Exploratory model Joint Application Development (JAD) Reuse model Cleanroom

8.6. Integrated Product Team

8.6.1. DevOps

8.7. Capability Maturity Model Integration

8.8. Change Control

8.8.1. Software Configuration Management

8.8.2. Security of Code Repositories

8.9. Programming Languages and Consepts

8.9.1. Assemblers, Compilers, Interpreters

8.9.2. Object-Oriented Concepts

8.9.3. Other Software Development Concepts Data modeling Data Structures Cohesion and Coupling

8.9.4. Application Programming Interfaces

8.10. Distributed Computing

8.10.1. Distributed Computing Environment

8.10.2. CORBA and ORBs

8.10.3. COM and DCOM Object Linking and Embedding (OLE)

8.10.4. Java Platform, Enterprise Edition

8.10.5. Service-Oriented Architecture

8.11. Mobile Code

8.11.1. Java Applets

8.11.2. ActiveX Controls

8.12. Web Security

8.12.1. Specific Threats for Web Environments Administrative Interfaces Authentication and Access Control Input Validation Parameter validation Session Management

8.12.2. Web Application Security Principles

8.13. Database Management

8.13.1. Database Management Software

8.13.2. Database Models • Relational • Hierarchical • Network • Object-oriented • Object-relational

8.13.3. Database Programming Interfaces Open Database Connectivity (ODBC) Object Linking and Embedding Database (OLE DB) ActiveX Data Objects (ADO) Java Database Connectivity (JDBC)

8.13.4. Relational Database Components Data Dictionary Primary vs. Foreign Key

8.13.5. Integrity

8.13.6. Database Security Issues Database Views Polyinstantiation Online transaction processing (OLTP)

8.13.7. Data Warehousing and Data Mining

8.14. Malicious Software

8.14.1. Viruses

8.14.2. Worms

8.14.3. Rootkit

8.14.4. Spyware and Adware

8.14.5. Botnets

8.14.6. Logic Bombs

8.14.7. Trojan Horses

8.14.8. Antimalware Software

8.14.9. Spam Detection

8.14.10. Antimalware Programs

8.15. Assessing the security of Acquired software