CISSP 2015

Mind Map of CISSP 8 Domains 2015

Get Started. It's Free
or sign up with your email address
CISSP 2015 by Mind Map: CISSP 2015

1. Identity & Access Management

1.1. Method control refers to your method of identifying who the user is

1.2. Primary Controls

1.2.1. Administrative Build Policies and procedures

1.2.2. Technical Routers Encryption IDS Antivirus Firewalls

1.2.3. Physical Network Segregation Perimeter Security Computer Controls Work area separation Data Backups Locks on doors !

1.3. Operational Controls

1.3.1. Detective

1.3.2. Preventative

1.3.3. Deterrent

1.3.4. Corrective

1.3.5. Recovery

1.3.6. Compensatory

1.4. Access Control Models

1.4.1. Bell-LaPadula (Confidentiality) Simple: Subject cannot read up Star : Subject cannot write down Strong: Subject with read and write cannot go up or down

1.4.2. Biba (Integrity) Subject cannot read down Subject cannot write up

1.4.3. Clark-Wilson (Integrity) Subject can only access oject through authorized program Enforces segregation of duties by authorized subjects Requires auditing

1.4.4. Take

1.4.5. Brewer & Nash

1.5. Types of Access Rules

1.5.1. Mandatory (MAC)

1.5.2. Discretionary (DAC)

1.5.3. Non-Discretionary (NDAC)

1.5.4. Role-based (RBAC)

1.5.5. Content Dependent

1.6. Authentication / Passwords

1.6.1. Verification is done by testing Who you are biometrics What you know passwords, polling and interrogation What you have id, badge, key, USB plug What you do

1.7. SSO

1.7.1. Kerberos

1.7.2. SESAME

1.8. Biometrics

1.8.1. Types Fingerprint/Palm/Face Hand Geometry Signature dynamics Facial Scan Retina Voice

1.8.2. Tools Finger scanner Palm scanner Retina and iris scanner

1.8.3. Issues Enrollment Time Acceptable rate is 2 minutes per person Throughput Time Acceptable rate is 10 people per minute Acceptability Issues Privacy, physical, psychological False Rejection Rate (FRR) - Type I error False Acceptance Rate (FAR) - Type II error Crossover Error Rate (CER) CER = % when FRR = FAR

1.9. Authorization / Accountability

1.9.1. Authorization granted privileges

1.9.2. Accountability

1.10. Managing Access Control

1.10.1. Scripting

1.10.2. Directory services

1.10.3. Centralized Radius TACACS TACACS+ Diameter

1.10.4. CHAP

1.10.5. Decentralized Database Relational Database Databases 101 Security elements

1.11. Network Security Testing

1.11.1. NIST Publication 800-42

2. Asset Security

2.1. Roles of Physical Security

2.2. Cryptography

2.2.1. Classical Goals Confidentiality Integrity Authentication Nonrepudiation

2.2.2. History

2.2.3. Components

2.2.4. Symmetric-Key Cryptography Symmetric Algorithms DES 3DES AES Serpent Two Fish RCG IDEA Modes of Operation DES

2.2.5. Asymmetric-Key Cryptography Asymmetric Algorithms RSA DH DSA El Gamal ECC

2.2.6. Hybrid Cryptography

2.2.7. Hashing Hash Algorithms MD5 SHA-1

2.2.8. Public Key Infrastructure Certificate Authority or CA Registration Authority or RA Certificates holders Clients that validate digital signatures Repositories

2.2.9. Digital Signatures Digital Signature Standard (DSS) Types of CA Trust Hierarchical Cross Certification

2.2.10. Cryptography In Use SSH IPSEC SSL SET

2.2.11. Data Privacy Concerns

2.2.12. Attacks

2.3. Information Classification

2.3.1. Criteria Value Age Useful life Personal Association

2.3.2. Government Unclassified Sensitive but Unclassified Confidential Secret Top Secret

2.3.3. Private Sector Public Sensitive Private Confidential

3. Security Operations

3.1. Separation of Duties

3.1.1. Operator

3.1.2. Security Admin

3.1.3. System Admin

3.2. Critical Operations Controls

3.2.1. Ressources Protection

3.2.2. Hardware Controls

3.2.3. Software Controls

3.2.4. Privileged Entity Controls

3.2.5. Change Management Control

3.3. Media Protection

3.3.1. Records Retention

3.3.2. Data Remanence

3.3.3. Transaction Redundancy Implementation Electronic Vaulting Remote Journaling Database Shadowing

3.3.4. Due care and due diligence

3.3.5. Documentation

3.4. Disaster Recovery Planning (DRP)

3.4.1. Objectives Protect the compani form major computer services failure Minimize the risk from delays in providing services Guarantee reliability of standby systems through testing Minimize decision making required by personnel during a disaster

3.4.2. Subscription Service Hot Site Warm Site Cold Site Others Mobile Site

3.4.3. DRP assumes BIA has been done, now focusing on steps needed to protect the business

3.5. Backup Methods

3.5.1. Full To restore, requires only the previous day's Full backup Requires the most time and media space

3.5.2. Incremental Requires the least time and space To restore, requires last Full backup plus all backups since the last Full backup

3.5.3. Differential To restore, requires the last Full backup and the last Differential backup and the last differential Intermediate in time and media space requierements between Full and Incremential backups

3.6. Business Continuity Planning (BCP)

3.6.1. Why ? Business Need Regulatory (SoX, BASEL2, FISMA, HIPAA, etc...)

3.6.2. Contingency Planning

3.6.3. Integration BCP/CP Develop the contingency planning policy statement Conduct the business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercices Plan Maintenance

3.6.4. NIST's 3 Phases of Actions Notification/Activation Recovery Reconstitution

3.6.5. Elements of BCP Scope and plan Initiation Scope Amount of work required Ressources to be used Management Practices Roles and Responsibilities Business Impact Analysis (BIA) Gathering assessment materials Perform the assessment Analyze the compiled information Document the results Business Continuity Planning and Development Plan approval and implementation

3.7. Auditing

3.8. Backup Storage Media

3.8.1. Tape

3.8.2. Hard Disks

3.8.3. Optical Disks

3.8.4. Solid State

3.9. RAID

3.9.1. disk stripping (raid 0)

3.9.2. disk mirroring (raid 1)

3.9.3. disk stripping with parity (raid5)

3.9.4. raid combiné (ex: raid 01 -> grappe raid 0 + raid global 1)

3.9.5. RAB Classification Failure-resistant disk systems Failure-tolerant disk systems Disaster-tolerant disk systems

4. Security and Risk Management

4.1. Identify and Classify Assets

4.1.1. CIA Definition Confidentiality Integrity Availability Well with Economically Viable Authentication Extensible Auditable Forensically sound

4.1.2. AAAA Authenticate Authorize Accounting Audit

4.2. Manage Risk

4.2.1. Management Concepts

4.2.2. Personnel Organization Best Practices Separation of Duties Job Rotation Job Description Accountability Roles and Responsabilities Data Owner Data Custodian Users and Operators Auditor Role Review Chief Information Officer Training Awareness Training Technical Training

4.2.3. Legislative Drivers FISMA NIST CS OECD Guidelines

4.2.4. Risk Management Manage and Assess Impact of the threat Risk of the threat occuring Controls reduce the impact Types of Risk Inherent risk Control risk Detection risk Residual risk Business risk Overall risk Probability of a Loss Quantitative Analysis Identify assets and determine value Estimate potential losses Analyze threats Calculate overall loss potential Accept, Mitigate, Assign the risk or Refuse Qualitative Analysis Techniques Does not assign numeric value to risks Based on experience ans intuition of the risk analysts Applying Controls Fundamental Control Set

4.3. Compliance

4.3.1. ISO 27000 Series ISO 27000 ISO 27001 was BS 7799 Part 2 ISO 27002 aka 17799 ISO 27003 ISO 27004

4.3.2. Current drivers Regulation and Legislation Cyberliability Insurance Incident Response

4.3.3. Future Drivers Industry Adoption and Compliance Cyberterrorism Information Warface Personal Privacy

4.4. Develop Security Policies

4.4.1. Policies, Standards, Guidelines Policies Standards Guidelines Procedures

4.4.2. Provide the foundation for a secure infrastructure

4.4.3. Created by Senior Management

4.4.4. Some policies are required by Law

4.5. Enforce Security Policies

4.6. Effective Security Program

4.7. Ethics

4.7.1. ISC2 Code of Ethics

4.7.2. Internet Architecture Board (IAB)

4.8. Law

4.8.1. The Legal Framework Three sources of laws Legislated Regulated Court precedence

4.8.2. Investigation Steps MOM Terms Enticement Entrapment Best of Evidence Best Corroborative Secondary Conclusive Circumstantial Forensics Contracts End-User Licence Adreements Intellectual Property Privacy Accountability International Laws Computer Laws

4.8.3. Examples of Computer Crimes Data Diddling Salami Attacks Social Engineering Dumpster Diving

5. Communications and Network Security

5.1. OSI / TCP Model

5.1.1. OSI OSI (Open Systems Interconnect) Layer 7 : Application Layer 6 : Presentation Layer 5 : Session Layer 4 : Transport Layer 3 : Network Layer 2 : Data Layer 1 : Physical

5.1.2. TCP/IP Application Host-to-host (Transport) Internet (Network) CIDR Network Interface (data/physical)

5.2. Media / Topologies

5.2.1. Typical Media 10Base2 10Base5 Coax UTP/STP Fiber Wireless

5.2.2. Topologies Bus Ring Star Tree Mesh Full Partial

5.3. Lan Protocols / Standards

5.3.1. ARP / RARP

5.3.2. 802.3 (CSMA/CD) Ethernet

5.3.3. 802.5 (Token Ring)

5.3.4. 802.11 (Wireless)

5.3.5. 802.16 (WiMax)

5.3.6. 802.20 (Mobile WiMax)

5.4. WAN Technologies

5.4.1. Dedicated lines

5.4.2. Circuit Switched SDH/SONET DTM

5.4.3. Packet Switched ATM Gigabit Ethernet x25

5.4.4. Token Ring

5.4.5. FDDI

5.5. The PBX

5.6. Remote Connectivity

5.6.1. PPP/SLIP

5.6.2. PPPOE

5.6.3. PAP/CHAP

5.6.4. Securing IPSEC VPNs SKIP SSL NAT swIPe

5.7. Networking Cables

5.7.1. Coaxial Cable

5.7.2. Twisted Pair

5.7.3. Fiber-Optic Cable Core Cladding Jacket

5.7.4. Cable Vulnerabilities

5.7.5. Cable failure Terms Attenuation Crosstalk Noise

5.8. Networking Devices

5.8.1. Repeater

5.8.2. Bridge

5.8.3. Switch

5.8.4. Router

5.8.5. Proxies

5.8.6. Gateway

5.8.7. LAN Extender

5.8.8. Screened-Host Firewall

5.8.9. Dual-Homed Host Firewall

5.8.10. Screened-Subnet Firewall

5.8.11. SOCKS

5.9. Wireless

5.9.1. IEEE Standards 802.11a -> 802.11n 802.1x 802.3af 802.16 (WiMax) 802.15 (Bluetooth)

5.9.2. Terminology RADIUS

5.10. Network Attacks

5.10.1. Wireless exploits Passive Attacks Active Attacks Man in the Middle Attacks Jamming Attacks

5.10.2. Countermeasures IDS / IPS Honeypots Response Team Layered Security Firewalls Securing Voice

6. Software Development Security

6.1. Goals

6.1.1. Software should perform its intended tasks - nothing more, nothing less

6.1.2. Develop software and systems in budget and on schedule

6.2. Open Source vs. Proprietary Code

6.3. A TCB depends on Trusted Software

6.4. Overview of programming languages

6.4.1. 1st generation: Machine or Binary code

6.4.2. 2nd generation : ASM

6.4.3. 3rd generation : Spoken language

6.4.4. Compiled / Interpreted / Hybrid

6.5. Principles of Programming

6.5.1. Modularity

6.5.2. Top-down design

6.5.3. Limited control structures

6.5.4. Limited control structures

6.5.5. Limited scope of variables

6.6. Methodologies

6.6.1. Structured Programming

6.6.2. Object-Oriented Programming

6.6.3. Computer-Aided Software Engineering (CASE) tools

6.7. Good Coding Practices

6.7.1. Least privileges

6.7.2. Hiding secrets

6.7.3. Layered defense

6.7.4. Weakest link

6.8. Development Models

6.8.1. Software Engineering Models Simplistic Model Requierements Gathering Analysis Design Coding Testing Waterfall Model System requirements Software Requirements Analysis Program Design Coding Testing Operations and Maintenance Spiral Model Define objectives Risk analysis, prototype Engineering and Testing Planning Cost Estimation Techniques Delphi Technique Expert Judgment Function Points Industry Benchmarks Rapid Application Development (RAD) Cleanroom Model Iterative Development Method Prototyping Model System Development Life Cycle (SDLC) Project initiation Analysis and planning System design specifications Software development Installation and implementation Operations and maintenance Disposal The Software Capability Maturity Model IDEAL Model

6.9. Object Oriented Programming

6.9.1. Object Oriented Concepts Class Data Abstraction Inheritance Child (derived) class inherits from the Parent (base) class Polymorphism Polyinstantiation

6.9.2. Phases of Development for Object Oriented Orientation (OOO) Object Oriented Requirements Analysis (OORA) Object Oriented Analysis (OOA) Domain Analysis (DA) Object Oriented Design (OOD) Object Oriented Programming( OOP)

6.10. Tools and Languages

6.10.1. JAVA

6.10.2. ActiveX

6.10.3. Dynamic Data Exchange (DDE)

6.10.4. Object Linking and Embedding (OLE)

6.10.5. Component Object Model (COM) & Distributed Component Object Model (DCOM)

6.10.6. Common Object Request Broker Architecture (CORBA)

6.10.7. Expert Systems

6.11. Databases

6.11.1. Types File-based Hierarchical Network Object-Oriented Relational

6.11.2. Terms Database Management System Data Definition Language Primary Key Foreign Key SELECT Command Normalization Bind variable Data Warehouse Data Mining Data Dictionary

6.11.3. Database Security Basics of Database Security Release of information Modification of information Denial of service Discretionary vs Mandatory Specific authorization granted and denied Authorization based on assigned classification Relational vs Object Oriented Relational Object

6.12. Configuration & Management

6.13. Application Vulnérabilities

6.13.1. Malicious Mobile Code

6.13.2. DNS Hijacking

6.13.3. XSS

6.13.4. SQL Injection

6.13.5. DoS DDoS

6.13.6. Flooding

6.13.7. Virus Trojan Polymorphic Stealth Retro Boot Sector Macro

6.13.8. Worm

7. Security Engineering

7.1. Trusted Computer Base (TCB)

7.1.1. Trusted Computer Does what you tell it to Only what you tell it to do You kown what it's doing

7.1.2. Trusted System Rings of security Ring 0 : trusted core OS kernel Outer rings are less privileged Sandbox isolates a process from CPU andd file system Intel Architectural Model

7.1.3. Reference Monitor

7.1.4. Security Kernel Isolate processes Be used on every access Be small enough to be easily tested

7.1.5. Covert Channels Covert Storage Channel Covert Timing Channel

7.2. Computer Architecture


7.2.2. Memory Cache ROM RAM Flash Memory Addressing

7.2.3. Buses Serial Paralelle

7.2.4. Firmware BIOS Cisco IOS

7.2.5. Software OS Applications Processes & Threads

7.3. Data Classification Models

7.3.1. Models and IT classification Frameworks

7.3.2. Compartmented Security Modes

7.3.3. Multilevel Security Mode

7.4. Access Control Models

7.4.1. Access Control Identification Authentication Authorization Terms Subjects Objects Access Access Control

7.4.2. Databases

7.4.3. Access Control Techniques

7.5. Certification / Accreditation and Evaluation

7.5.1. Certification

7.5.2. Accreditation

7.5.3. Evaluation TCSEC TCB Division Orange Book ITSEC Used in Europe Evaluate functionality and assurance separately Rating TNI Red Book of Rainbow Series Common Criteria Eight Assurance Levels are defined (EAL0-EAL7)

8. Security Assessment & Testing

8.1. Assessment and Test Strategies

8.1.1. Software Development

8.1.2. Log Review

8.1.3. Synthetic Transactions

8.1.4. Testing Checklist Structured walk through Simulation Parallel Full interruption

8.2. Collect Security Process Data Internal & Third-Party Audits

8.2.1. SOC Reporting Options

9. ISC2

9.1. How to get Certified

9.2. Candidate Information Bulletins

9.3. Registration

9.4. Exam

9.4.1. Day Saturday

9.4.2. Questions 250 QCM

9.4.3. Tests FreePracticeTests