Cartographie pour préparation au CISSP

Get Started. It's Free
or sign up with your email address
CISSP by Mind Map: CISSP

1. ISC2

1.1. Comment se certifier ?

1.2. Candidate Information Bulletins

1.3. Enregistrement

2. Examen

2.1. Jour

2.1.1. Samedi

2.2. Questions

2.2.1. 250 QCM

2.3. Cout

2.4. Tests


2.4.2. FreePracticeTests

3. CBK

3.1. Information Security and Risk Management

3.1.1. Identify and Classify Assets CIA Definition Well with AAAA Authenticate Authorize Accounting Audit

3.1.2. Manage Risk Management Concepts Personnel Organization Best Practices Roles and Responsabilities Role Review Training Legislative Drivers FISMA NIST CS OECD Guidelines Risk Management Manage and Assess Controls reduce the impact Types of Risk Probability of a Loss Quantitative Analysis Qualitative Analysis Information Classification Applying Controls

3.1.3. Develop Security Policies Policies, Standards, Guidelines Policies Standards Guidelines Procedures Provide the foundation for a secure infrastructure Created by Senior Management Some policies are required by Law

3.1.4. Enforce Security Policies

3.2. Access Control

3.2.1. Method control refers to your method of identifying who user is

3.2.2. Primary Controls Administrative Build Policies and procedures Technical Routers Encryption IDS Antivirus Firewalls Physical Network Segregation Perimeter Security Computer Controls Work area separation Data Backups Locks on doors !

3.2.3. Operational Controls Detective Preventative Deterrent Corrective Recovery Compensatory

3.2.4. Access Control Models Bell-LaPadula (Confidentiality) Simple: Subject cannot read up Star : Subject cannot write down Strong: Subject with read and write cannot go up or down Biba (Integrity) Subject cannot read down Subject cannot write up Clark-Wilson (Integrity) Subject can only access oject through authorized program Enforces segregation of duties by authorized subjects Requires auditing Take Brewer & Nash

3.2.5. Types of Access Rules Mandatory (MAC) Discretionary (DAC) Non-Discretionary (NDAC) Role-based (RBAC) Content Dependent

3.2.6. Authentication / Passwords Verification is done by testing Who you are What you know What you have What you do

3.2.7. SSO Kerberos SESAME

3.2.8. Biometrics Types Fingerprint/Palm/Face Retina Voice Tools Finger scanner Palm scanner Retina and iris scanner Issues Enrollment Time Throughput Time Acceptability Issues False Rejection Rate (FRR) - Type I error False Acceptance Rate (FAR) - Type II error Crossover Error Rate (CER)

3.2.9. Authorization / Accountability Authorization granted privileges Accountability

3.2.10. Managing Access Control Scripting Directory services Centralized Radius TACACS TACACS+ Diameter CHAP Decentralized Database

3.2.11. Network Security Testing NIST Publication 800-42

3.3. Telecommunications and Network Security

3.3.1. OSI / TCP Model OSI OSI (Open Systems Interconnect) Layer 7 : Application Layer 6 : Presentation Layer 5 : Session Layer 4 : Transport Layer 3 : Network Layer 2 : Data Layer 1 : Physical TCP/IP Application Host-to-host (Transport) Internet (Network) Network Interface (data/physical)

3.3.2. Media / Topologies Typical Media 10Base2 10Base5 Coax UTP/STP Fiber Wireless Topologies Bus Ring Star Tree Mesh

3.3.3. Lan Protocols / Standards ARP / RARP 802.3 (CSMA/CD) Ethernet 802.5 (Token Ring) 802.11 (Wireless) 802.16 (WiMax) 802.20 (Mobile WiMax)

3.3.4. WAN Technologies Dedicated lines Circuit Switched SDH/SONET DTM Packet Switched ATM Gigabit Ethernet x25 Token Ring FDDI

3.3.5. The PBX

3.3.6. Remote Connectivity PPP/SLIP PPPOE PAP/CHAP Securing IPSEC VPNs SSL NAT swIPe

3.3.7. Networking Cables Coaxial Cable Twisted Pair Fiber-Optic Cable Core Cladding Jacket Cable Vulnerabilities Cable failure Terms Attenuation Crosstalk Noise

3.3.8. Networking Devices Repeater Bridge Switch Router Proxies Gateway LAN Extender Screened-Host Firewall Dual-Homed Host Firewall Screened-Subnet Firewall SOCKS

3.3.9. Wireless IEEE Standards 802.11a -> 802.11n 802.1x 802.3af 802.16 (WiMax) 802.15 (Bluetooth) Terminology RADIUS

3.3.10. General Communications Vulnerabilities Wireless exploits Passive Attacks Active Attacks Man in the Middle Attacks Jamming Attacks Contremesures IDS / IPS Honeypots Response Team Layered Security Firewalls Securing Voice

3.4. Security Architecture and Design

3.4.1. Trusted Computer Base (TCB) Trusted Computer Does what you tell it to Only what you tell it to do You kown what it's doing Trusted System Rings of security Reference Monitor Security Kernel Isolate processes Be used on every access Be small enough to be easily tested Covert Channels Covert Storage Channel Covert Timing Channel

3.4.2. Computer Architecture CPU RISC CISC Memory Cache ROM RAM Flash Memory Addressing Buses Serial Paralelle Firmware BIOS Cisco IOS Software OS Applications

3.4.3. Data Classification Models Models and IT classification Frameworks Compartmented Security Modes Multilevel Security Mode

3.4.4. Access Control Models Access Control Identification Authentication Authorization Terms Databases Access Control Techniques

3.4.5. Certification / Accreditation and Evaluation Certification Accreditation Evaluation TCSEC ITSEC TNI Common Criteria

3.4.6. Compliance ISO 17799 / BS7799 ISO 17799 BS 7799 ISO 27000 Series ISO 27000 ISO 27001 ISO 27002 ISO 27003 ISO 27004 Current drivers Regulation and Legislation Cyberliability Insurance Incident Response Future Drivers Industry Adoption and Compliance Cyberterrorism Information Warface Personal Privacy

3.5. Business Continuity and Disaster Recovery Planning

3.5.1. Business Continuity Planning (BCP) Why ? Business Need Regulatory (SoX, BASEL2, FISMA, HIPAA, etc...) Contingency Planning Integration BCP/CP Develop the contingency planning policy statement Conduct the business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercices Plan Maintenance NIST's 3 Phases of Actions Notification/Activation Recovery Reconstitution Elements of BCP Scope and plan Initiation Business Impact Analysis (BIA) Business Continuity Planning and Development Plan approval and implementation

3.5.2. Disaster Recovery Planning (DRP) Objectives Protect the compani form major computer services failure Minimize the risk from delays in providing services Guarantee reliability of standby systems through testing Minimize decision making required by personnel during a disaster DRP assumes BIA has been done, now focusing on steps needed to protect the business

3.5.3. Development

3.5.4. Emergency Implementation Planning

3.5.5. Types of DR Sites Subscription Service Hot Site Warm Site Cold Site Others Transaction Redundancy Implementation Electronic Vaulting Remote Journaling Database Shadowing

3.5.6. Media / Methods Backup Storage Media Tape Hard Disks Optical Disks Solid State Backup Methods Full Incremental Differential RAID disk stripping (raid 0) disk mirroring (raid 1) disk stripping with parity (raid5) raid combiné (ex: raid 01 -> grappe raid 0 + raid global 1) RAB Classification

3.5.7. Testing COOP / DRP Checklist Structured walk through Simulation Parallel Full interruption

3.5.8. Standards BS 25999 ISO 22399 ISO 24762 ISO 27001

3.5.9. Links thebci disasterrecoverytemplates

3.6. Application Security

3.6.1. Goals Software should perform its intended tasks - nothing more, nothing less Develop software and systems in budget and on schedule

3.6.2. Open Source vs. Proprietary Code

3.6.3. A TCB depends on Trusted Software

3.6.4. Overview of programming languages 1st generation: Machine or Binary code 2nd generation : ASM 3rd generation : Spoken language Compiled / Interpreted / Hybrid

3.6.5. Principles of Programming Modularity Top-down design Limited control structures Limited control structures Limited scope of variables

3.6.6. Methodologies Structured Programming Object-Oriented Programming Computer-Aided Software Engineering (CASE) tools

3.6.7. Good Coding Practices Least privileges Hiding secrets Layered defense Weakest link

3.6.8. Development Models Software Engineering Models Simplistic Model Waterfall Model Spiral Model Cost Estimation Techniques Rapid Application Development (RAD) Cleanroom Model Iterative Development Method Prototyping Model System Development Life Cycle (SDLC) The Software Capability Maturity Model IDEAL Model

3.6.9. Object Oriented Programming Object Oriented Concepts Class Data Abstraction Inheritance Polymorphism Polyinstantiation Phases of Development for Object Oriented Orientation (OOO) Object Oriented Requirements Analysis (OORA) Object Oriented Analysis (OOA) Domain Analysis (DA) Object Oriented Design (OOD) Object Oriented Programming( OOP)

3.6.10. Tools and Languages JAVA ActiveX Dynamic Data Exchange (DDE) Object Linking and Embedding (OLE) Component Object Model (COM) & Distributed Component Object Model (DCOM) Common Object Request Broker Architecture (CORBA) Expert Systems

3.6.11. Databases Types File-based Hierarchical Network Object-Oriented Relational Terms Database Management System Data Definition Language Primary Key Foreign Key SELECT Command Normalization Bind variable Data Warehouse Database Security Basics of Database Security Discretionary vs Mandatory Relational vs Object Oriented

3.6.12. Configuration & Management

3.6.13. Application Vulnérabilities Malicious Mobile Code DNS Hijacking XSS SQL Injection DoS DDoS Flooding Virus Trojan Polymorphic Stealth Retro Boot Sector Macro Worm

3.7. Cryptography

3.7.1. Classical Goals Confidentiality Integrity Authentication Nonrepudiation

3.7.2. History

3.7.3. Components

3.7.4. Symmetric-Key Cryptography Symmetric Algorithms DES 3DES AES Serpent Two Fish RCG IDEA Modes of Operation DES

3.7.5. Asymmetric-Key Cryptography Asymmetric Algorithms RSA DH DSA El Gamal ECC

3.7.6. Hybrid Cryptography

3.7.7. Hashing Hash Algorithms MD5 SHA-1

3.7.8. Public Key Infrastructure Certificate Authority or CA Registration Authority or RA Certificates holders Clients that validate digital signatures Repositories

3.7.9. Digital Signatures Digital Signature Standard (DSS) Types of CA Trust Hierarchical Cross Certification

3.7.10. Cryptography In Use SSH IPSEC SSL SET

3.7.11. Data Privacy Concerns

3.7.12. Attacks

3.8. Physical Security

3.8.1. Roles of Physical Security

3.9. Legal, Regulations, Compliance and Investigations

3.9.1. Ethics ISC2 Code of Ethics Internet Architecture Board (IAB)

3.9.2. Examples of Computer Crimes Data Diddling Salami Attacks Social Engineering Dumpster Diving

3.9.3. Law The Legal Framework Three sources of laws Investigation Steps Terms Best of Evidence Forensics Contracts End-User Licence Adreements Intellectual Property Privacy Accountability International Laws Computer Laws

3.10. Operations Security

3.10.1. Separation of Duties Operator Security Admin System Admin

3.10.2. Critical Operations Controls Ressources Protection Hardware Controls Software Controls Privileged Entity Controls Change Management Control

3.10.3. Media Protection Records Retention Data Remanence Due care and due diligence Documentation

3.10.4. Auditing