Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

CISSP by Mind Map: CISSP
5.0 stars - 3 reviews range from 0 to 5

CISSP

ISC2

Comment se certifier ?

Candidate Information Bulletins

Enregistrement

Examen

Jour

Samedi

Questions

250 QCM

Cout

Tests

Cccure.org

FreePracticeTests

CBK

Information Security and Risk Management

Identify and Classify Assets, CIA, Definition, Confidentiality, Integrity, Availability, Well with, Economically Viable, Authentication, Extensible, Auditable, Forensically sound, AAAA, Authenticate, Authorize, Accounting, Audit

Manage Risk, Management Concepts, Personnel Organization, Best Practices, Separation of Duties, Management, Information Security Officer, Job Rotation, Hiring, Termination, Not Just Terminations, Job Description, Accountability, Roles and Responsabilities, Data Owner, Data Custodian, Users and Operators, Auditor, Role Review, Chief Information Officer, Training, Awareness Training, Technical Training, Legislative Drivers, FISMA, NIST CS, OECD Guidelines, Risk Management, Manage and Assess, Impact of the threat, Risk of the threat occuring, Controls reduce the impact, Types of Risk, Inherent risk, Control risk, Detection risk, Residual risk, Business risk, Overall risk, Probability of a Loss, Quantitative Analysis, Identify assets and determine value, Estimate potential losses, Exposure Factor (EZ), Single Loss Expectancy (SLE), Analyze threats, Estimate Annualized Rate of Occurrence (ARO), Calculate overall loss potential, Annualized Loss Expectancy (ALE), ALE = SLE x ARO, Accept, Mitigate, Assign the risk or Refuse, Qualitative Analysis, Techniques, Delphi technique, Brainstorming, Storyboarding, Surveys, questionnaires, checklists, one-on-one meetings, interviews, etc..., Does not assign numeric value to risks, Based on experience ans intuition of the risk analysts, Information Classification, Criteria, Value, Age, Useful life, Personal Association, Government, Unclassified, Sensitive but Unclassified, Confidential, Secret, Top Secret, Private Sector, Public, Sensitive, Private, Confidential, Applying Controls, Fundamental Control Set, Management Controls, Operational Controls, Technical Controls

Develop Security Policies, Policies, Standards, Guidelines, Policies, Standards, Guidelines, Procedures, Provide the foundation for a secure infrastructure, Created by Senior Management, Some policies are required by Law

Enforce Security Policies

Access Control

Method control refers to your method of identifying who user is

Primary Controls, Administrative, Build Policies and procedures, Technical, Routers, Encryption, IDS, Antivirus, Firewalls, Physical, Network Segregation, Perimeter Security, Computer Controls, Work area separation, Data Backups, Locks on doors !

Operational Controls, Detective, Preventative, Deterrent, Corrective, Recovery, Compensatory

Access Control Models, Bell-LaPadula (Confidentiality), Simple: Subject cannot read up, Star : Subject cannot write down, Strong: Subject with read and write cannot go up or down, Biba (Integrity), Subject cannot read down, Subject cannot write up, Clark-Wilson (Integrity), Subject can only access oject through authorized program, Enforces segregation of duties by authorized subjects, Requires auditing, Take, Brewer & Nash

Types of Access Rules, Mandatory (MAC), Discretionary (DAC), Non-Discretionary (NDAC), Role-based (RBAC), Content Dependent

Authentication / Passwords, Verification is done by testing, Who you are, biometrics, What you know, passwords, polling and interrogation, What you have, id, badge, key, USB plug, What you do

SSO, Kerberos, SESAME

Biometrics, Types, Fingerprint/Palm/Face, Hand Geometry, Signature dynamics, Facial Scan, Retina, Voice, Tools, Finger scanner, Palm scanner, Retina and iris scanner, Issues, Enrollment Time, Acceptable rate is 2 minutes per person, Throughput Time, Acceptable rate is 10 people per minute, Acceptability Issues, Privacy, physical, psychological, False Rejection Rate (FRR) - Type I error, False Acceptance Rate (FAR) - Type II error, Crossover Error Rate (CER), CER = % when FRR = FAR

Authorization / Accountability, Authorization, granted privileges, Accountability

Managing Access Control, Scripting, Directory services, Centralized, Radius, TACACS, TACACS+, Diameter, CHAP, Decentralized, Database, Relational Database, Support queries, Databases 101, Security elements, GRANT, REVOKE

Network Security Testing, NIST Publication 800-42

Telecommunications and Network Security

OSI / TCP Model, OSI OSI (Open Systems Interconnect), Layer 7 : Application, Layer 6 : Presentation, Layer 5 : Session, Layer 4 : Transport, Layer 3 : Network, Layer 2 : Data, Layer 1 : Physical, TCP/IP, Application, Host-to-host (Transport), Internet (Network), CIDR, Network Interface (data/physical)

Media / Topologies, Typical Media, 10Base2, 10Base5, Coax, UTP/STP, Fiber, Wireless, Topologies, Bus, Ring, Star, Tree, Mesh, Full, Partial

Lan Protocols / Standards, ARP / RARP, 802.3 (CSMA/CD), Ethernet, 802.5 (Token Ring), 802.11 (Wireless), 802.16 (WiMax), 802.20 (Mobile WiMax)

WAN Technologies, Dedicated lines, Circuit Switched, SDH/SONET, DTM, Packet Switched, ATM, Gigabit Ethernet, x25, Token Ring, FDDI

The PBX

Remote Connectivity, PPP/SLIP, PPPOE, PAP/CHAP, Securing, IPSEC, VPNs, SKIP, SSL, NAT, swIPe

Networking Cables, Coaxial Cable, Twisted Pair, Fiber-Optic Cable, Core, Cladding, Jacket, Cable Vulnerabilities, Cable failure Terms, Attenuation, Crosstalk, Noise

Networking Devices, Repeater, Bridge, Switch, Router, Proxies, Gateway, LAN Extender, Screened-Host Firewall, Dual-Homed Host Firewall, Screened-Subnet Firewall, SOCKS

Wireless, IEEE Standards, 802.11a -> 802.11n, 802.1x, 802.3af, 802.16 (WiMax), 802.15 (Bluetooth), Terminology, RADIUS

General Communications Vulnerabilities, Wireless exploits, Passive Attacks, Active Attacks, Man in the Middle Attacks, Jamming Attacks, Contremesures, IDS / IPS, Honeypots, Response Team, Layered Security, Firewalls, Securing Voice

Security Architecture and Design

Trusted Computer Base (TCB), Trusted Computer, Does what you tell it to, Only what you tell it to do, You kown what it's doing, Trusted System, Rings of security, Ring 0 : trusted core OS kernel, Outer rings are less privileged, Sandbox isolates a process from CPU andd file system, Intel Architectural Model, Ring 0 -> Ring 3, Reference Monitor, Security Kernel, Isolate processes, Be used on every access, Be small enough to be easily tested, Covert Channels, Covert Storage Channel, Covert Timing Channel

Computer Architecture, CPU, RISC, CISC, Memory, Cache, ROM, RAM, Flash, Memory Addressing, Buses, Serial, Paralelle, Firmware, BIOS, Cisco IOS, Software, OS, Applications, Processes & Threads

Data Classification Models, Models and IT classification Frameworks, Compartmented Security Modes, Multilevel Security Mode

Access Control Models, Access Control, Identification, Authentication, Authorization, Terms, Subjects, Objects, Access, Access Control, Databases, Access Control Techniques

Certification / Accreditation and Evaluation, Certification, Accreditation, Evaluation, TCSEC, TCB Division, Orange Book, Level D: minimal protection, Level C: Discretionary Protection, Level C1: Discretionary Security Protection, Level C2: Controlled Access Protection, Level B: Mandatory Protection (DoD security clearances), Level B1: Labeled Security, Level B2: Structured Protection, Level B3: Security Domains, Level A: Verified Protection, Level A1: Verified Design, ITSEC, Used in Europe, Evaluate functionality and assurance separately, Rating, E0 - E6 (assurance), F1-F10 (functionality), TNI, Red Book of Rainbow Series, Common Criteria, Eight Assurance Levels are defined (EAL0-EAL7)

Compliance, ISO 17799 / BS7799, ISO 17799, Best Practice Guidelines, Universally adaptable, was BS 7799 Part 1, BS 7799, Part 3, Guidelines for Information Security Risk Mgmt, ISO 27000 Series, ISO 27000, ISO 27001, was BS 7799 Part 2, ISO 27002, aka 17799, ISO 27003, ISO 27004, Current drivers, Regulation and Legislation, Cyberliability Insurance, Incident Response, Future Drivers, Industry Adoption and Compliance, Cyberterrorism, Information Warface, Personal Privacy

Business Continuity and Disaster Recovery Planning

Business Continuity Planning (BCP), Why ?, Business Need, Regulatory (SoX, BASEL2, FISMA, HIPAA, etc...), Contingency Planning, Integration BCP/CP, Develop the contingency planning policy statement, Conduct the business impact analysis (BIA), Identify preventive controls, Develop recovery strategies, Develop an IT contingency plan, Plan testing, training, and exercices, Plan Maintenance, NIST's 3 Phases of Actions, Notification/Activation, Recovery, Reconstitution, Elements of BCP, Scope and plan Initiation, Scope, Amount of work required, Ressources to be used, Management Practices, Roles and Responsibilities, Business Impact Analysis (BIA), Gathering assessment materials, Perform the assessment, Analyze the compiled information, Document the results, Business Continuity Planning and Development, Plan approval and implementation

Disaster Recovery Planning (DRP), Objectives, Protect the compani form major computer services failure, Minimize the risk from delays in providing services, Guarantee reliability of standby systems through testing, Minimize decision making required by personnel during a disaster, DRP assumes BIA has been done, now focusing on steps needed to protect the business

Development

Emergency Implementation Planning

Types of DR Sites, Subscription Service, Hot Site, Warm Site, Cold Site, Others, Mobile Site, Transaction Redundancy Implementation, Electronic Vaulting, Remote Journaling, Database Shadowing

Media / Methods, Backup Storage Media, Tape, Hard Disks, Optical Disks, Solid State, Backup Methods, Full, To restore, requires only the previous day's Full backup, Requires the most time and media space, Incremental, Requires the least time and space, To restore, requires last Full backup plus all backups since the last Full backup, Differential, To restore, requires the last Full backup and the last Differential backup and the last differential, Intermediate in time and media space requierements between Full and Incremential backups, RAID, disk stripping (raid 0), disk mirroring (raid 1), disk stripping with parity (raid5), raid combiné (ex: raid 01 -> grappe raid 0 + raid global 1), RAB Classification, Failure-resistant disk systems, Failure-tolerant disk systems, Disaster-tolerant disk systems

Testing COOP / DRP, Checklist, Structured walk through, Simulation, Parallel, Full interruption

Standards, BS 25999, ISO 22399, ISO 24762, ISO 27001

Links, thebci, disasterrecoverytemplates

Application Security

Goals, Software should perform its intended tasks - nothing more, nothing less, Develop software and systems in budget and on schedule

Open Source vs. Proprietary Code

A TCB depends on Trusted Software

Overview of programming languages, 1st generation: Machine or Binary code, 2nd generation : ASM, 3rd generation : Spoken language, Compiled / Interpreted / Hybrid

Principles of Programming, Modularity, Top-down design, Limited control structures, Limited scope of variables

Methodologies, Structured Programming, Object-Oriented Programming, Computer-Aided Software Engineering (CASE) tools

Good Coding Practices, Least privileges, Hiding secrets, Layered defense, Weakest link

Development Models, Software Engineering Models, Simplistic Model, Requierements Gathering, Analysis, Design, Coding, Testing, Waterfall Model, System requirements, Software Requirements, Analysis, Program Design, Coding, Testing, Operations and Maintenance, Spiral Model, Define objectives, Risk analysis, prototype, Engineering and Testing, Planning, Cost Estimation Techniques, Delphi Technique, Expert Judgment, Function Points, Industry Benchmarks, Rapid Application Development (RAD), Cleanroom Model, Iterative Development Method, Prototyping Model, System Development Life Cycle (SDLC), Project initiation, Analysis and planning, System design specifications, Software development, Installation and implementation, Operations and maintenance, Disposal, The Software Capability Maturity Model, IDEAL Model

Object Oriented Programming, Object Oriented Concepts, Class, Data Abstraction, Inheritance, Child (derived) class inherits from the Parent (base) class, Polymorphism, Polyinstantiation, Phases of Development for Object Oriented Orientation (OOO), Object Oriented Requirements Analysis (OORA), Object Oriented Analysis (OOA), Domain Analysis (DA), Object Oriented Design (OOD), Object Oriented Programming( OOP)

Tools and Languages, JAVA, ActiveX, Dynamic Data Exchange (DDE), Object Linking and Embedding (OLE), Component Object Model (COM) & Distributed Component Object Model (DCOM), Common Object Request Broker Architecture (CORBA), Expert Systems

Databases, Types, File-based, Hierarchical, Network, Object-Oriented, Relational, Terms, Database Management System, Data Definition Language, Primary Key, Foreign Key, SELECT Command, Normalization, Bind variable, Data Warehouse, Data Mining, Metadata, Data mart, Data Dictionary, Database Security, Basics of Database Security, Release of information, Modification of information, Denial of service, Discretionary vs Mandatory, Specific authorization granted and denied, Authorization based on assigned classification, Relational vs Object Oriented, Relational, Controls, GRANT & REVOKE, Deny, Granularity, OS Security, Issues, Verifying access granted - DAC, Verifying the View limitations function - MAC, Preventing users from creating a copy (becoming owner) and granting access to others, Object, DAC Object Oriented Models, MAC Object Oriented Models, Issues

Configuration & Management

Application Vulnérabilities, Malicious Mobile Code, DNS Hijacking, XSS, SQL Injection, DoS DDoS, Flooding, Virus, Trojan, Polymorphic, Stealth, Retro, Boot Sector, Macro, Worm

Cryptography

Classical Goals, Confidentiality, Integrity, Authentication, Nonrepudiation

History

Components

Symmetric-Key Cryptography, Symmetric Algorithms, DES, 3DES, AES, Serpent, Two Fish, RCG, IDEA, Modes of Operation DES

Asymmetric-Key Cryptography, Asymmetric Algorithms, RSA, DH, DSA, El Gamal, ECC

Hybrid Cryptography

Hashing, Hash Algorithms, MD5, SHA-1

Public Key Infrastructure, Certificate Authority or CA, Registration Authority or RA, Certificates holders, Clients that validate digital signatures, Repositories

Digital Signatures, Digital Signature Standard (DSS), Types of CA Trust, Hierarchical, Cross Certification

Cryptography In Use, SSH, IPSEC, SSL, SET

Data Privacy Concerns

Attacks

Physical Security

Roles of Physical Security

Legal, Regulations, Compliance and Investigations

Ethics, ISC2 Code of Ethics, Internet Architecture Board (IAB)

Examples of Computer Crimes, Data Diddling, Salami Attacks, Social Engineering, Dumpster Diving

Law, The Legal Framework, Three sources of laws, Legislated, Civil Code, Criminal Code, Regulated, Administrativ Law, Court precedence, Investigation, Steps, MOM, Means, Opportunity, Motive, Determine suspects, Victimology, Target Risk Assesslent, Crime scene characteristics, Attacker skill level, Intent, Terms, Enticement, Entrapment, Best of Evidence, Best, Corroborative, Secondary, Conclusive, Circumstantial, Forensics, Contracts, End-User Licence Adreements, Intellectual Property, Privacy, Accountability, International Laws, Computer Laws

Operations Security

Separation of Duties, Operator, Security Admin, System Admin

Critical Operations Controls, Ressources Protection, Hardware Controls, Software Controls, Privileged Entity Controls, Change Management Control

Media Protection, Records Retention, Data Remanence, Due care and due diligence, Documentation

Auditing