CISSP 2015

Mind Map of CISSP 8 Domains 2015

시작하기. 무료입니다
또는 회원 가입 e메일 주소
Rocket clouds
CISSP 2015 저자: Mind Map: CISSP 2015

1. Identity & Access Management

1.1. Method control refers to your method of identifying who the user is

1.2. Primary Controls

1.2.1. Administrative

1.2.1.1. Build Policies and procedures

1.2.2. Technical

1.2.2.1. Routers

1.2.2.2. Encryption

1.2.2.3. IDS

1.2.2.4. Antivirus

1.2.2.5. Firewalls

1.2.3. Physical

1.2.3.1. Network Segregation

1.2.3.2. Perimeter Security

1.2.3.3. Computer Controls

1.2.3.4. Work area separation

1.2.3.5. Data Backups

1.2.3.6. Locks on doors !

1.3. Operational Controls

1.3.1. Detective

1.3.2. Preventative

1.3.3. Deterrent

1.3.4. Corrective

1.3.5. Recovery

1.3.6. Compensatory

1.4. Access Control Models

1.4.1. Bell-LaPadula (Confidentiality)

1.4.1.1. Simple: Subject cannot read up

1.4.1.2. Star : Subject cannot write down

1.4.1.3. Strong: Subject with read and write cannot go up or down

1.4.2. Biba (Integrity)

1.4.2.1. Subject cannot read down

1.4.2.2. Subject cannot write up

1.4.3. Clark-Wilson (Integrity)

1.4.3.1. Subject can only access oject through authorized program

1.4.3.2. Enforces segregation of duties by authorized subjects

1.4.3.3. Requires auditing

1.4.4. Take

1.4.5. Brewer & Nash

1.5. Types of Access Rules

1.5.1. Mandatory (MAC)

1.5.2. Discretionary (DAC)

1.5.3. Non-Discretionary (NDAC)

1.5.4. Role-based (RBAC)

1.5.5. Content Dependent

1.6. Authentication / Passwords

1.6.1. Verification is done by testing

1.6.1.1. Who you are

1.6.1.1.1. biometrics

1.6.1.2. What you know

1.6.1.2.1. passwords, polling and interrogation

1.6.1.3. What you have

1.6.1.3.1. id, badge, key, USB plug

1.6.1.4. What you do

1.7. SSO

1.7.1. Kerberos

1.7.2. SESAME

1.8. Biometrics

1.8.1. Types

1.8.1.1. Fingerprint/Palm/Face

1.8.1.1.1. Hand Geometry

1.8.1.1.2. Signature dynamics

1.8.1.1.3. Facial Scan

1.8.1.2. Retina

1.8.1.3. Voice

1.8.2. Tools

1.8.2.1. Finger scanner

1.8.2.2. Palm scanner

1.8.2.3. Retina and iris scanner

1.8.3. Issues

1.8.3.1. Enrollment Time

1.8.3.1.1. Acceptable rate is 2 minutes per person

1.8.3.2. Throughput Time

1.8.3.2.1. Acceptable rate is 10 people per minute

1.8.3.3. Acceptability Issues

1.8.3.3.1. Privacy, physical, psychological

1.8.3.4. False Rejection Rate (FRR) - Type I error

1.8.3.5. False Acceptance Rate (FAR) - Type II error

1.8.3.6. Crossover Error Rate (CER)

1.8.3.6.1. CER = % when FRR = FAR

1.9. Authorization / Accountability

1.9.1. Authorization

1.9.1.1. granted privileges

1.9.2. Accountability

1.10. Managing Access Control

1.10.1. Scripting

1.10.2. Directory services

1.10.3. Centralized

1.10.3.1. Radius

1.10.3.2. TACACS

1.10.3.3. TACACS+

1.10.3.4. Diameter

1.10.4. CHAP

1.10.5. Decentralized

1.10.5.1. Database

1.10.5.1.1. Relational Database

1.10.5.1.2. Databases 101

1.10.5.1.3. Security elements

1.11. Network Security Testing

1.11.1. NIST Publication 800-42

2. Asset Security

2.1. Roles of Physical Security

2.2. Cryptography

2.2.1. Classical Goals

2.2.1.1. Confidentiality

2.2.1.2. Integrity

2.2.1.3. Authentication

2.2.1.4. Nonrepudiation

2.2.2. History

2.2.3. Components

2.2.4. Symmetric-Key Cryptography

2.2.4.1. Symmetric Algorithms

2.2.4.1.1. DES

2.2.4.1.2. 3DES

2.2.4.1.3. AES

2.2.4.1.4. Serpent

2.2.4.1.5. Two Fish

2.2.4.1.6. RCG

2.2.4.1.7. IDEA

2.2.4.2. Modes of Operation DES

2.2.5. Asymmetric-Key Cryptography

2.2.5.1. Asymmetric Algorithms

2.2.5.1.1. RSA

2.2.5.1.2. DH

2.2.5.1.3. DSA

2.2.5.1.4. El Gamal

2.2.5.1.5. ECC

2.2.6. Hybrid Cryptography

2.2.7. Hashing

2.2.7.1. Hash Algorithms

2.2.7.1.1. MD5

2.2.7.1.2. SHA-1

2.2.8. Public Key Infrastructure

2.2.8.1. Certificate Authority or CA

2.2.8.2. Registration Authority or RA

2.2.8.3. Certificates holders

2.2.8.4. Clients that validate digital signatures

2.2.8.5. Repositories

2.2.9. Digital Signatures

2.2.9.1. Digital Signature Standard (DSS)

2.2.9.2. Types of CA Trust

2.2.9.2.1. Hierarchical

2.2.9.2.2. Cross Certification

2.2.10. Cryptography In Use

2.2.10.1. SSH

2.2.10.2. IPSEC

2.2.10.3. SSL

2.2.10.4. SET

2.2.11. Data Privacy Concerns

2.2.12. Attacks

2.3. Information Classification

2.3.1. Criteria

2.3.1.1. Value

2.3.1.2. Age

2.3.1.3. Useful life

2.3.1.4. Personal Association

2.3.2. Government

2.3.2.1. Unclassified

2.3.2.2. Sensitive but Unclassified

2.3.2.3. Confidential

2.3.2.4. Secret

2.3.2.5. Top Secret

2.3.3. Private Sector

2.3.3.1. Public

2.3.3.2. Sensitive

2.3.3.3. Private

2.3.3.4. Confidential

3. Security Operations

3.1. Separation of Duties

3.1.1. Operator

3.1.2. Security Admin

3.1.3. System Admin

3.2. Critical Operations Controls

3.2.1. Ressources Protection

3.2.2. Hardware Controls

3.2.3. Software Controls

3.2.4. Privileged Entity Controls

3.2.5. Change Management Control

3.3. Media Protection

3.3.1. Records Retention

3.3.2. Data Remanence

3.3.3. Transaction Redundancy Implementation

3.3.3.1. Electronic Vaulting

3.3.3.2. Remote Journaling

3.3.3.3. Database Shadowing

3.3.4. Due care and due diligence

3.3.5. Documentation

3.4. Disaster Recovery Planning (DRP)

3.4.1. Objectives

3.4.1.1. Protect the compani form major computer services failure

3.4.1.2. Minimize the risk from delays in providing services

3.4.1.3. Guarantee reliability of standby systems through testing

3.4.1.4. Minimize decision making required by personnel during a disaster

3.4.2. Subscription Service

3.4.2.1. Hot Site

3.4.2.2. Warm Site

3.4.2.3. Cold Site

3.4.2.4. Others

3.4.2.4.1. Mobile Site

3.4.3. DRP assumes BIA has been done, now focusing on steps needed to protect the business

3.5. Backup Methods

3.5.1. Full

3.5.1.1. To restore, requires only the previous day's Full backup

3.5.1.2. Requires the most time and media space

3.5.2. Incremental

3.5.2.1. Requires the least time and space

3.5.2.2. To restore, requires last Full backup plus all backups since the last Full backup

3.5.3. Differential

3.5.3.1. To restore, requires the last Full backup and the last Differential backup and the last differential

3.5.3.2. Intermediate in time and media space requierements between Full and Incremential backups

3.6. Business Continuity Planning (BCP)

3.6.1. Why ?

3.6.1.1. Business Need

3.6.1.2. Regulatory (SoX, BASEL2, FISMA, HIPAA, etc...)

3.6.2. Contingency Planning

3.6.3. Integration BCP/CP

3.6.3.1. Develop the contingency planning policy statement

3.6.3.2. Conduct the business impact analysis (BIA)

3.6.3.3. Identify preventive controls

3.6.3.4. Develop recovery strategies

3.6.3.5. Develop an IT contingency plan

3.6.3.6. Plan testing, training, and exercices

3.6.3.7. Plan Maintenance

3.6.4. NIST's 3 Phases of Actions

3.6.4.1. Notification/Activation

3.6.4.2. Recovery

3.6.4.3. Reconstitution

3.6.5. Elements of BCP

3.6.5.1. Scope and plan Initiation

3.6.5.1.1. Scope

3.6.5.1.2. Amount of work required

3.6.5.1.3. Ressources to be used

3.6.5.1.4. Management Practices

3.6.5.1.5. Roles and Responsibilities

3.6.5.2. Business Impact Analysis (BIA)

3.6.5.2.1. Gathering assessment materials

3.6.5.2.2. Perform the assessment

3.6.5.2.3. Analyze the compiled information

3.6.5.2.4. Document the results

3.6.5.3. Business Continuity Planning and Development

3.6.5.4. Plan approval and implementation

3.7. Auditing

3.8. Backup Storage Media

3.8.1. Tape

3.8.2. Hard Disks

3.8.3. Optical Disks

3.8.4. Solid State

3.9. RAID

3.9.1. disk stripping (raid 0)

3.9.2. disk mirroring (raid 1)

3.9.3. disk stripping with parity (raid5)

3.9.4. raid combiné (ex: raid 01 -> grappe raid 0 + raid global 1)

3.9.5. RAB Classification

3.9.5.1. Failure-resistant disk systems

3.9.5.2. Failure-tolerant disk systems

3.9.5.3. Disaster-tolerant disk systems

4. Security and Risk Management

4.1. Identify and Classify Assets

4.1.1. CIA

4.1.1.1. Definition

4.1.1.1.1. Confidentiality

4.1.1.1.2. Integrity

4.1.1.1.3. Availability

4.1.1.2. Well with

4.1.1.2.1. Economically Viable

4.1.1.2.2. Authentication

4.1.1.2.3. Extensible

4.1.1.2.4. Auditable

4.1.1.2.5. Forensically sound

4.1.2. AAAA

4.1.2.1. Authenticate

4.1.2.2. Authorize

4.1.2.3. Accounting

4.1.2.4. Audit

4.2. Manage Risk

4.2.1. Management Concepts

4.2.2. Personnel Organization

4.2.2.1. Best Practices

4.2.2.1.1. Separation of Duties

4.2.2.1.2. Job Rotation

4.2.2.1.3. Job Description

4.2.2.1.4. Accountability

4.2.2.2. Roles and Responsabilities

4.2.2.2.1. Data Owner

4.2.2.2.2. Data Custodian

4.2.2.2.3. Users and Operators

4.2.2.2.4. Auditor

4.2.2.3. Role Review

4.2.2.3.1. Chief Information Officer

4.2.2.4. Training

4.2.2.4.1. Awareness Training

4.2.2.4.2. Technical Training

4.2.3. Legislative Drivers

4.2.3.1. FISMA

4.2.3.2. NIST CS

4.2.3.3. OECD Guidelines

4.2.4. Risk Management

4.2.4.1. Manage and Assess

4.2.4.1.1. Impact of the threat

4.2.4.1.2. Risk of the threat occuring

4.2.4.2. Controls reduce the impact

4.2.4.3. Types of Risk

4.2.4.3.1. Inherent risk

4.2.4.3.2. Control risk

4.2.4.3.3. Detection risk

4.2.4.3.4. Residual risk

4.2.4.3.5. Business risk

4.2.4.3.6. Overall risk

4.2.4.4. Probability of a Loss

4.2.4.5. Quantitative Analysis

4.2.4.5.1. Identify assets and determine value

4.2.4.5.2. Estimate potential losses

4.2.4.5.3. Analyze threats

4.2.4.5.4. Calculate overall loss potential

4.2.4.5.5. Accept, Mitigate, Assign the risk or Refuse

4.2.4.6. Qualitative Analysis

4.2.4.6.1. Techniques

4.2.4.6.2. Does not assign numeric value to risks

4.2.4.6.3. Based on experience ans intuition of the risk analysts

4.2.4.7. Applying Controls

4.2.4.7.1. Fundamental Control Set

4.3. Compliance

4.3.1. ISO 27000 Series

4.3.1.1. ISO 27000

4.3.1.2. ISO 27001

4.3.1.2.1. was BS 7799 Part 2

4.3.1.3. ISO 27002

4.3.1.3.1. aka 17799

4.3.1.4. ISO 27003

4.3.1.5. ISO 27004

4.3.2. Current drivers

4.3.2.1. Regulation and Legislation

4.3.2.2. Cyberliability Insurance

4.3.2.3. Incident Response

4.3.3. Future Drivers

4.3.3.1. Industry Adoption and Compliance

4.3.3.2. Cyberterrorism

4.3.3.3. Information Warface

4.3.3.4. Personal Privacy

4.4. Develop Security Policies

4.4.1. Policies, Standards, Guidelines

4.4.1.1. Policies

4.4.1.2. Standards

4.4.1.3. Guidelines

4.4.1.4. Procedures

4.4.2. Provide the foundation for a secure infrastructure

4.4.3. Created by Senior Management

4.4.4. Some policies are required by Law

4.5. Enforce Security Policies

4.6. Effective Security Program

4.7. Ethics

4.7.1. ISC2 Code of Ethics

4.7.2. Internet Architecture Board (IAB)

4.8. Law

4.8.1. The Legal Framework

4.8.1.1. Three sources of laws

4.8.1.1.1. Legislated

4.8.1.1.2. Regulated

4.8.1.1.3. Court precedence

4.8.2. Investigation

4.8.2.1. Steps

4.8.2.1.1. MOM

4.8.2.2. Terms

4.8.2.2.1. Enticement

4.8.2.2.2. Entrapment

4.8.2.3. Best of Evidence

4.8.2.3.1. Best

4.8.2.3.2. Corroborative

4.8.2.3.3. Secondary

4.8.2.3.4. Conclusive

4.8.2.3.5. Circumstantial

4.8.2.4. Forensics

4.8.2.5. Contracts

4.8.2.6. End-User Licence Adreements

4.8.2.7. Intellectual Property

4.8.2.8. Privacy

4.8.2.9. Accountability

4.8.2.10. International Laws

4.8.2.11. Computer Laws

4.8.3. Examples of Computer Crimes

4.8.3.1. Data Diddling

4.8.3.2. Salami Attacks

4.8.3.3. Social Engineering

4.8.3.4. Dumpster Diving

5. Communications and Network Security

5.1. OSI / TCP Model

5.1.1. OSI OSI (Open Systems Interconnect)

5.1.1.1. Layer 7 : Application

5.1.1.2. Layer 6 : Presentation

5.1.1.3. Layer 5 : Session

5.1.1.4. Layer 4 : Transport

5.1.1.5. Layer 3 : Network

5.1.1.6. Layer 2 : Data

5.1.1.7. Layer 1 : Physical

5.1.2. TCP/IP

5.1.2.1. Application

5.1.2.2. Host-to-host (Transport)

5.1.2.3. Internet (Network)

5.1.2.3.1. CIDR

5.1.2.4. Network Interface (data/physical)

5.2. Media / Topologies

5.2.1. Typical Media

5.2.1.1. 10Base2

5.2.1.2. 10Base5

5.2.1.3. Coax

5.2.1.4. UTP/STP

5.2.1.5. Fiber

5.2.1.6. Wireless

5.2.2. Topologies

5.2.2.1. Bus

5.2.2.2. Ring

5.2.2.3. Star

5.2.2.4. Tree

5.2.2.5. Mesh

5.2.2.5.1. Full

5.2.2.5.2. Partial

5.3. Lan Protocols / Standards

5.3.1. ARP / RARP

5.3.2. 802.3 (CSMA/CD)

5.3.2.1. Ethernet

5.3.3. 802.5 (Token Ring)

5.3.4. 802.11 (Wireless)

5.3.5. 802.16 (WiMax)

5.3.6. 802.20 (Mobile WiMax)

5.4. WAN Technologies

5.4.1. Dedicated lines

5.4.2. Circuit Switched

5.4.2.1. SDH/SONET

5.4.2.2. DTM

5.4.3. Packet Switched

5.4.3.1. ATM

5.4.3.2. Gigabit Ethernet

5.4.3.3. x25

5.4.4. Token Ring

5.4.5. FDDI

5.5. The PBX

5.6. Remote Connectivity

5.6.1. PPP/SLIP

5.6.2. PPPOE

5.6.3. PAP/CHAP

5.6.4. Securing

5.6.4.1. IPSEC

5.6.4.2. VPNs

5.6.4.2.1. SKIP

5.6.4.3. SSL

5.6.4.4. NAT

5.6.4.5. swIPe

5.7. Networking Cables

5.7.1. Coaxial Cable

5.7.2. Twisted Pair

5.7.3. Fiber-Optic Cable

5.7.3.1. Core

5.7.3.2. Cladding

5.7.3.3. Jacket

5.7.4. Cable Vulnerabilities

5.7.5. Cable failure Terms

5.7.5.1. Attenuation

5.7.5.2. Crosstalk

5.7.5.3. Noise

5.8. Networking Devices

5.8.1. Repeater

5.8.2. Bridge

5.8.3. Switch

5.8.4. Router

5.8.5. Proxies

5.8.6. Gateway

5.8.7. LAN Extender

5.8.8. Screened-Host Firewall

5.8.9. Dual-Homed Host Firewall

5.8.10. Screened-Subnet Firewall

5.8.11. SOCKS

5.9. Wireless

5.9.1. IEEE Standards

5.9.1.1. 802.11a -> 802.11n

5.9.1.2. 802.1x

5.9.1.3. 802.3af

5.9.1.4. 802.16 (WiMax)

5.9.1.5. 802.15 (Bluetooth)

5.9.2. Terminology

5.9.2.1. RADIUS

5.10. Network Attacks

5.10.1. Wireless exploits

5.10.1.1. Passive Attacks

5.10.1.2. Active Attacks

5.10.1.3. Man in the Middle Attacks

5.10.1.4. Jamming Attacks

5.10.2. Countermeasures

5.10.2.1. IDS / IPS

5.10.2.2. Honeypots

5.10.2.3. Response Team

5.10.2.4. Layered Security

5.10.2.5. Firewalls

5.10.2.6. Securing Voice

6. Software Development Security

6.1. Goals

6.1.1. Software should perform its intended tasks - nothing more, nothing less

6.1.2. Develop software and systems in budget and on schedule

6.2. Open Source vs. Proprietary Code

6.3. A TCB depends on Trusted Software

6.4. Overview of programming languages

6.4.1. 1st generation: Machine or Binary code

6.4.2. 2nd generation : ASM

6.4.3. 3rd generation : Spoken language

6.4.4. Compiled / Interpreted / Hybrid

6.5. Principles of Programming

6.5.1. Modularity

6.5.2. Top-down design

6.5.3. Limited control structures

6.5.4. Limited control structures

6.5.5. Limited scope of variables

6.6. Methodologies

6.6.1. Structured Programming

6.6.2. Object-Oriented Programming

6.6.3. Computer-Aided Software Engineering (CASE) tools

6.7. Good Coding Practices

6.7.1. Least privileges

6.7.2. Hiding secrets

6.7.3. Layered defense

6.7.4. Weakest link

6.8. Development Models

6.8.1. Software Engineering Models

6.8.1.1. Simplistic Model

6.8.1.1.1. Requierements Gathering

6.8.1.1.2. Analysis

6.8.1.1.3. Design

6.8.1.1.4. Coding

6.8.1.1.5. Testing

6.8.1.2. Waterfall Model

6.8.1.2.1. System requirements

6.8.1.2.2. Software Requirements

6.8.1.2.3. Analysis

6.8.1.2.4. Program Design

6.8.1.2.5. Coding

6.8.1.2.6. Testing

6.8.1.2.7. Operations and Maintenance

6.8.1.3. Spiral Model

6.8.1.3.1. Define objectives

6.8.1.3.2. Risk analysis, prototype

6.8.1.3.3. Engineering and Testing

6.8.1.3.4. Planning

6.8.1.4. Cost Estimation Techniques

6.8.1.4.1. Delphi Technique

6.8.1.4.2. Expert Judgment

6.8.1.4.3. Function Points

6.8.1.4.4. Industry Benchmarks

6.8.1.5. Rapid Application Development (RAD)

6.8.1.6. Cleanroom Model

6.8.1.7. Iterative Development Method

6.8.1.8. Prototyping Model

6.8.1.9. System Development Life Cycle (SDLC)

6.8.1.9.1. Project initiation

6.8.1.9.2. Analysis and planning

6.8.1.9.3. System design specifications

6.8.1.9.4. Software development

6.8.1.9.5. Installation and implementation

6.8.1.9.6. Operations and maintenance

6.8.1.9.7. Disposal

6.8.1.10. The Software Capability Maturity Model

6.8.1.11. IDEAL Model

6.9. Object Oriented Programming

6.9.1. Object Oriented Concepts

6.9.1.1. Class

6.9.1.2. Data Abstraction

6.9.1.3. Inheritance

6.9.1.3.1. Child (derived) class inherits from the Parent (base) class

6.9.1.4. Polymorphism

6.9.1.5. Polyinstantiation

6.9.2. Phases of Development for Object Oriented Orientation (OOO)

6.9.2.1. Object Oriented Requirements Analysis (OORA)

6.9.2.2. Object Oriented Analysis (OOA)

6.9.2.3. Domain Analysis (DA)

6.9.2.4. Object Oriented Design (OOD)

6.9.2.5. Object Oriented Programming( OOP)

6.10. Tools and Languages

6.10.1. JAVA

6.10.2. ActiveX

6.10.3. Dynamic Data Exchange (DDE)

6.10.4. Object Linking and Embedding (OLE)

6.10.5. Component Object Model (COM) & Distributed Component Object Model (DCOM)

6.10.6. Common Object Request Broker Architecture (CORBA)

6.10.7. Expert Systems

6.11. Databases

6.11.1. Types

6.11.1.1. File-based

6.11.1.2. Hierarchical

6.11.1.3. Network

6.11.1.4. Object-Oriented

6.11.1.5. Relational

6.11.2. Terms

6.11.2.1. Database Management System

6.11.2.2. Data Definition Language

6.11.2.3. Primary Key

6.11.2.4. Foreign Key

6.11.2.5. SELECT Command

6.11.2.6. Normalization

6.11.2.7. Bind variable

6.11.2.8. Data Warehouse

6.11.2.8.1. Data Mining

6.11.2.8.2. Data Dictionary

6.11.3. Database Security

6.11.3.1. Basics of Database Security

6.11.3.1.1. Release of information

6.11.3.1.2. Modification of information

6.11.3.1.3. Denial of service

6.11.3.2. Discretionary vs Mandatory

6.11.3.2.1. Specific authorization granted and denied

6.11.3.2.2. Authorization based on assigned classification

6.11.3.3. Relational vs Object Oriented

6.11.3.3.1. Relational

6.11.3.3.2. Object

6.12. Configuration & Management

6.13. Application Vulnérabilities

6.13.1. Malicious Mobile Code

6.13.2. DNS Hijacking

6.13.3. XSS

6.13.4. SQL Injection

6.13.5. DoS DDoS

6.13.6. Flooding

6.13.7. Virus

6.13.7.1. Trojan

6.13.7.2. Polymorphic

6.13.7.3. Stealth

6.13.7.4. Retro

6.13.7.5. Boot Sector

6.13.7.6. Macro

6.13.8. Worm

7. Security Engineering

7.1. Trusted Computer Base (TCB)

7.1.1. Trusted Computer

7.1.1.1. Does what you tell it to

7.1.1.2. Only what you tell it to do

7.1.1.3. You kown what it's doing

7.1.2. Trusted System

7.1.2.1. Rings of security

7.1.2.1.1. Ring 0 : trusted core OS kernel

7.1.2.1.2. Outer rings are less privileged

7.1.2.1.3. Sandbox isolates a process from CPU andd file system

7.1.2.1.4. Intel Architectural Model

7.1.3. Reference Monitor

7.1.4. Security Kernel

7.1.4.1. Isolate processes

7.1.4.2. Be used on every access

7.1.4.3. Be small enough to be easily tested

7.1.5. Covert Channels

7.1.5.1. Covert Storage Channel

7.1.5.2. Covert Timing Channel

7.2. Computer Architecture

7.2.1. CPU

7.2.1.1. RISC

7.2.1.2. CISC

7.2.2. Memory

7.2.2.1. Cache

7.2.2.2. ROM

7.2.2.3. RAM

7.2.2.4. Flash

7.2.2.5. Memory Addressing

7.2.3. Buses

7.2.3.1. Serial

7.2.3.2. Paralelle

7.2.4. Firmware

7.2.4.1. BIOS

7.2.4.2. Cisco IOS

7.2.5. Software

7.2.5.1. OS

7.2.5.2. Applications

7.2.5.2.1. Processes & Threads

7.3. Data Classification Models

7.3.1. Models and IT classification Frameworks

7.3.2. Compartmented Security Modes

7.3.3. Multilevel Security Mode

7.4. Access Control Models

7.4.1. Access Control

7.4.1.1. Identification

7.4.1.2. Authentication

7.4.1.3. Authorization

7.4.1.4. Terms

7.4.1.4.1. Subjects

7.4.1.4.2. Objects

7.4.1.4.3. Access

7.4.1.4.4. Access Control

7.4.2. Databases

7.4.3. Access Control Techniques

7.5. Certification / Accreditation and Evaluation

7.5.1. Certification

7.5.2. Accreditation

7.5.3. Evaluation

7.5.3.1. TCSEC

7.5.3.1.1. TCB Division

7.5.3.1.2. Orange Book

7.5.3.2. ITSEC

7.5.3.2.1. Used in Europe

7.5.3.2.2. Evaluate functionality and assurance separately

7.5.3.2.3. Rating

7.5.3.3. TNI

7.5.3.3.1. Red Book of Rainbow Series

7.5.3.4. Common Criteria

7.5.3.4.1. Eight Assurance Levels are defined (EAL0-EAL7)

8. Security Assessment & Testing

8.1. Assessment and Test Strategies

8.1.1. Software Development

8.1.2. Log Review

8.1.3. Synthetic Transactions

8.1.4. Testing

8.1.4.1. Checklist

8.1.4.2. Structured walk through

8.1.4.3. Simulation

8.1.4.4. Parallel

8.1.4.5. Full interruption

8.2. Collect Security Process Data Internal & Third-Party Audits

8.2.1. SOC Reporting Options

9. ISC2

9.1. How to get Certified

9.2. Candidate Information Bulletins

9.3. Registration

9.4. Exam

9.4.1. Day

9.4.1.1. Saturday

9.4.2. Questions

9.4.2.1. 250 QCM

9.4.3. Tests

9.4.3.1. Cccure.org

9.4.3.2. FreePracticeTests