Certified Information Systems
Security Professional - CISSP

10 Domains:

1. Access Control Systems & Methodology
2. Applications & Systems Development
3. Business Continuity Planning
4. Cryptography
5. Law, Investigation & Ethics
6. Operations Security
7. Physical Security
8. Security Architecture & Models
9. Security Management Practices
10. Telecommunications, Network & Internet Security

250 Multiple Choise Questions in 6 Hours.

1. Access Control Systems & Methodology

Access Control Areas

• Identification
• Authentication
• Authorization
• Accountability.

Access Control Models

• Discretionary (DAC)
• Mandatory (MAC)
• Role-Based (RBAC)

Access Control Methods

• Administrative
• Policies
• Personnel Controls
• Training
• Technical
• System Access
• Network Access
• Network Architecture
• Encryption
• Auditing
• Physical
• Network segregation.
• Perimeter security.
• Work area separation.
• Cabling.

Access Control Types

• Preventative
• Guards, Locks, Badges
• Background Checks
• Encryption, Passwords, Antivirus
• Detective
• Guards, CCTV
• Audits, Job rotation
• IDS, Audit Logs
• Corrective
• Deterrent
• Recovery
• Compensation

Formal Access Control Models

• Bell LaPadula: Protecting confidentiality.
• Simple Security Policy: No read up. 
• Security * (star) property: No write down.

• Biba Model: Protecting Integrity
• Simple Integrity Axiom: No read down.
• Integration * (Star) Axiom: No write up.

Clark-Wilson Model: Protecting Integrity

Access Control Monitoring

• Intrusion Detection Systems (IDS):
• Network Based:
• Host-Based
• Knowledge / Signature based
• Behaviour based / Statistical IDS

2. Applications & Systems Development

System Development/Project Management

• Project initiation
• Functional design, analysis and planning
• System design specifications
• Software development
• Installation / Implementation
• Operational Maintenance
• Disposal.

Installation / Implementation:

• Certification reviewing and evaluating security controls
• Accreditation acceptance of the system by key management and in implicit acceptance of risk.
• Verification – does the product match the specification
• Validation – Fitness or worth of a software product for its operational mission.“Verification is doing the job right, Validation is doing the right job“

System Life Cycle Phases:

• Project Initiation:
• Concept of project definition
• Proposal and initial study

• Functional design analysis and planning
• Requirements uncovered and defined
• System environment specifications determined

• System design specifications:
• Functionality design review
• Functionality broken down
• Detailed planning put into place
• Code design

• Software development:
• Developing and programming software

• Installation
• Product installation and implementation
• Testing and Auditing

• Maintenance Support
• Product changes, fixes and minor modifications

• Revision and Replacement
• Modifying the product with revisions, or, replacing it completely.

Change Management

Database Models:

• Relational Database Model
• Hierarchical Data Model
• Distributed Data Model

Relational Database Components:

• Data Definition Language (DDL)
• Data Manipulation Language (DML)
• Query Language (QL)
• Report Generator.

Object-Oriented Programming

ORBs and CORBAs

COM and DCOM

OLE – Object Linking and Embedding

DDE – Dynamic Data Exchange

Distributed Computing Environment (DCE)

Attacks:

• SMURF
• Fraggle
• SYN Flood
• Teardrop
• Salami

Malicious Code (MALWARE):

• Virus
• Worms
• Logic Bomb
• Trojan Horse

3. Business Continuity Planning

Disaster Recovery Planning:

Phases of Development:

• Initiation
• Business impact analysis
• Strategy development
• Plan development
• Implementation
• Testing
• Maintenance

Elements of BCP:

• Scope plan initiation
• Business impact Analysis – includes vulnerability assessment
• Business continuity plan development
• Plan approval and implementation

Business Impact Analysis:

• Criticality Prioritization
• Downtime Escalation
• Resource Requirements

Categories of Disruption:

• Non-Disaster
• Disaster
• Catastrophe

Off-site backup facility options:

• Hot-Site
• Warm-Site
• Cold-Site

Different Backup Types:

• Incremental
• Differential
• Full

Disaster Recovery Testing:

• Checklist Test
• Strutcured Walk-Through Test
• Simulation Test
• Parallel Test
• Full Interruption Test

4. Cryptography

Cryptography Terms:

• Cryptosytem
• Key
• Keyspace
• Cryptography
• Cryptanalaysis
• Work Factor
• Cryptology
• Key Clustering

Goals of CryptoSystems:

• Confidentiality
• Authenticity
• Integrity
• Non Repudiation

History of Cryptography

Symmetric Cryptography

• Data Encryption Standard (DES)
• Triple DES (3DES)
• Blowfish
• IDEA
• RC4, RC5 and RC6

Asymmetric Cryptography

• RSA
• Ecliptical Curve Cryptosystem (EC)
• Diffe-Hellman
• El-Gamal
• Digital Signature Standard (DSS)

Block Cipher

Stream Cipher

Public Key Infrastructure (PKI)

ISAKMP

IKE

One-Way Hash:

• MD2
• MD4
• MD5
• SHA
• SHA-1

Digital Signature

Cryptography Standards:

• PEM
• S-HTTP
• SSL
• PGP
• MIME
• S/MIME
• SSH
• IPSEC
• WAP
• WEP

5. Law, Investigation & Ethics

Two Categories:

• Crimes against the computer
• Crimes using a computer

Title 18 of the 1992 Edition of the U.S.C.

US Computer Fraud and Abuse Act

Intellectual Property Law

• Patent
• Copyright
• Trade Secret
• Trademark

HIPAA

Electronic Monitoring

E-mail monitoring

Enticement vs. Entrapment

Computer Security, Privacy and Crime Laws:

• 1970 – US Fair Credit Reporting Act – consumer reporting agencies
• 1970 - US Racketeer Influenced and Corrupt Organization Ace – racketeers influencing business
• 1973 – US Code of Fair Information Practices – personal record keeping
• 1974 – US Privacy Act – applies to federal agencies
• 1980 Organization for Economic Cooperation and Development (OECD) – data collection limitations
• 1984 – US Medical Computer Crime Act – illegal alteration of computerized medical records
• 1984 – (Strengthened in 1986 and 1994) – First US Federal Computer Crime Law – classified defense, felony for classified information
• 1986 (Amended 1996) – US Computer Fraud and Abuse Act – clarified 1984 law, Added three laws:
• 1986 Electronic Communications Privacy Act – prohibits eavesdropping
• 1987 – Computer Security Act – requires federal government to:
• 1990 United Kingdom Misuse Act – defines computer related crimes
• 1991 US Federal Sentencing Guidelines 
• 1992 OECD – Guidelines to serve as Total Security Framework – laws, policies, procedures, training
• 1994 – US Communications Assistance for Law Enforcement Act – requires communications carriers to make wiretaps possible
• 1994 - Computer Abuse Amendments Act –
• 1995 Council Directive Law on Data Protection for the European Union – declares EU is similar to OECD
• 1996 – US Economic and Protection of Proprietary Information Act – industrial and corporate espionage
• 1996 U.S. Kennedy-Kassenbaum Health Insurance portability and Accountability Act. HIPAA
• 1996 National Information Infrastructure Protection Act – amended the computer fraud and abuse act patterned after the OECD.
• GAASSP – Generally Accepted Systems Security Principles (Not laws but accepted principles of the OECD)

Investigation

Computer Forensic Issues

Evidence

Evidence Life Cycle

Evidence Admissibility

• Relevant
• Legally Permissible
• Reliable
• Properly Identified
• Preservation

Types of Evidence

• Best Evidence
• Secondary evidence
• Direct Evidence
• Conclusive Evidence
• Expert Opinion
• Nonexpert Opinion
• Circumstantial
• Hearsay
• Exceptions to Hearsay

Export Issues with Technology

Searching and Seizing Computers

• 18 U.S.C. § 12510 - Definitions
• 18 U.S.C. § 1251 – interception and disclosure of wire, oral or electronic communications
• 18 U.S.C. § 2701 – unlawful access to stored communications
• 18 U.S.C. § 2702 – disclosure of contents
• 18 U.S.C. § 2703 – requirements for governmental access
• 18 U.S.C. § 2705 – delayed notice
• 18 U.S.C. § 2711 – definitions
• 18 U.S.C. § 2000aa – searches and seizures by government officers and employees in connection with

Due Care

Due Diligence

Prudent man rule

ISC2 Code of Ethics

CISSPs Must:

1. Conduct themselves with highest standards of ethical, moral and legal behavior
2. Not commit any unlawful or unethical act that may impact the reputation of the profession
3. Appropriately report unlawful behavior
4. Support efforts to promote prudent information security measures
5. Provide competent service to their employers and clients; avoid conflicts of interest
6. Execute responsibilities with highest standards
7. Not misuse information in which they come into contact with during their duties

6. Operations Security

Categories of Controls:

• Preventative Controls
• Detective Controls
• Corrective (Recovery) Controls

Orange Book Controls:

• Operational assurance requirements:
• System architecture
• System integrity
• Covert channel analysis
• Trusted facility management
• Trusted recovery
• Life cycle assurance requirements:
• Security testing
• Design specification and testing
• Configuration management
• Trusted distribution

Administrative Controls:

• Personnel security : Background checks, mandatory vacations, etc.
• Separation of duties.
• Least privilege.
• Need to know.
• Change control / configuration management.
• Record retention and documentation.

Operations Controls:

• Resource protection
• Hardware controls
• Software controls
• Privileged Entity Controls
• Media Resource Protection
• Physical access controls

Monitoring and Auditing

7. Physical Security

Major causes of physical loss:

• Temperate: Sunlight, fire, freezing, heat.
• Gases: War gases, vapors, humidity, dry air, smoke, smog.
• Liquids: Water and chemicals
• Organisms: People, animals, viruses, bacteria
• Projectiles: Meteors, cars and trucks, bullets, tornados
• Movement: Collapse, shearing, shaking, earthquakes
• Energy Anomalies: Surges or power failures, static, radiation, magnets.

Administrative:

• Facility selection or construction
• Facility management
• Personnel controls
• Training
• Emergency response and procedures

Technical:

• Access controls
• Intrustion detection
• Alarms
• CCTV
• HVAC
• Power supply.
• Fire detection

Physical:

• Fencing
• Locks
• Lighting
• Facility construction

Power Supply:

• Ground
• Noise
• Transient Noise
• Clean Power
• EMI
• RFI
• Power Excess:
• Spike: Momentary high voltage.
• Surge: Prolonged high voltage.
• Power Loss:
• Fault: Momentary power out.
• Blackout: Prolonged loss of power.
• Power Degradation:
• Sag: Momentary low voltage.
• Brownout: Prolonged supply below normal voltage.

Fire Detection:

• Smoke
• Heat
• Flame
• Combustion Particles

Types of Fire:

• A: Common combustibles such as wood, paper, laminated. Best fought with water or soda acid.
• B: Liquid fires such as petroleum products and coolants. Best fought with Gas (Halon), CO2, Soda Acid.
• C: Electrical equipment and wires. Best fought with Gas (Halon) or CO2.
• D: Combustible metals. Best fought with Dry Powder.

Water Sprinklers

• Wet Pipe
• Dry Pipe
• Preaction
• Deluge

Emergency Response and procedures:

• Evacuation procedures
• System shutdown
• Training and drills
• Integrate with disaster recovery plans
• Documented procedures for different types of emergencies
• Periodic equipment tests

External Boundary Protection:

• Fencing
• Lighting
• Surveillance

Cipher Locks

Device Locks

Magnetic Cards

Wireless Proximity readers

Guards

Dogs

8. Security Architecture & Models

CPU:

• ALU
• Control Unit
• Primary Storage

Protection Rings: 

• Ring 0 : Operating system & Kernel
• Ring 1 : Remaining parts of operating system
• Ring 2 : I/O drives and utilities
• Ring 3 : Applications and programs.

Process Vs Thread

Memory Addressing Modes:

• Register
• Direct
• Absolute
• Indexed
• Implied
• Indirect

Processing Methods

• Pipelining
• CISC
• RISC
• Scalar Processor
• Superscalar Processor
• Very Long Instruction Word (VLIW) Processor

Trusted Computer Base

Reference Monitor

Security Kernel

Domains

Resource Isolation

Security Modes of Operation

• Dedicated Security Mode
• System-High Security Mode
• Compartmented Security Mode
• Multilevel Security Mode
• Limited Access
• Controlled Access
• Trust

The “Orange“ Book:

The US Dept of defence developed TCSEC (Trusted Computer Systems Evaluation Criteria)

D – Minimal Protection

C – Discretionary protection

C1 : Discretionary Security Protection

C2 : Controlled Access Protection

B – Mandatory Protection

B1 : Labeled Security

B2 : Structured Protection

B3 : Structured Domains

A – Verified Protection

A1 : Verified Design

Evaluation Criteria on Security, Policy, Accountability and Assistance and Testing:

1. Security policy – explicit, well defined, enforced by mechanisms in the system itself.
2. Identification – individual subjects must be uniquely identified in the system.
3. Labels – labels must be associated with individual objects.
4. Documentation – test, design and specification documentation. User guides and manuals.
5. Accountability – audit data is captured and protected. Relies on identification.
6. Life Cycle Assurance – Software, hardware and firmware can be tested individually to ensure that each enforces security policy.
7. Continuous Protection – Ongoing review and maintenance of the security.

The “Red“ Book

DITSCAP

NIACAP

CIAP

ITSEC – Information Technology Security Evalation Criteria

This accreditation system is used in Europe.

E0 : Inadequate assurance to quality for E1.

E1 : Informal definition of TOE architectural design. TOE satisfies functional testing.

E2 : E1 + information description of detailed design. Configuration control and approved distribution procedure.

E3 : E2 + source code and/or drawing have been evaluated.

E4 : E3 + a formal model of security policy.

E5 : E4 + close correspondence between detailed design and source code/drawings.

E6 : E5 + Formal specification of security enforcing functions. Consistency with formal security policy model.

Threats:

• Covert Channels
• Back Doors
• Timing Issues
• Buffer Overflows

Recovery Procedures:

• Failsafe
• Failsoft (resilient)
• Failover

Cold start

9. Security Management Practices

Control Types:

• Administrative
• Technical
• Physical

Security Terms:

• Vulnerability
• Threat
• Risk
• Exposure
• Countermeasure

Risk management questions:

• Identify assets – What am I trying to protect?
• Identify threats – What am I trying to protect against?
• Calculating risks – How much time, effort & money am I willing to spend on

4 basic elements to risk management:

• Quantitative risk analysis
• Qualitative risk analysis
• Asset valuation process
• Safeguard selection

Quantitative risk analysis:

• SLE – Single loss expectancy 
• EF – Exposure factor:
• Asset value * Exposure factor (EF) = SLE
• ARO – Annualized rate of occurrence
• ALE – Annualized loss expectancy:
• Single loss expectancy (SLE) * Annualzed rate of occurent (ARO) = ALE
• Safeguard value: 
• (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard value to the company
• Residual Risk:
• threats * vulnerability * asset value = total risk.
• (threats *vulnerability * asset value) * control gap = residual risk.
• Asset

Qualitative risk analysis:

Handling Risk:

Transferring : Insurance

Rejecting : Deny or ignore the risk.

Reducing : Implementing countermeasures.

Accepting : Live with the risk.

Security Policy

Standards

Baseline

Guidelines

Procedures

Change control:

• Applying to introduce a change
• Cataloging the intended change
• Scheduling the change
• Implementing the change
• Reporting the change to appropriate parties

10. Telecommunications, Network & Internet Security

OSI Model

• Application
• SMTP, HTTP, LPD, FTP, WWW, Telnet, TFTP
• Presentation
• ASCII, JPEG, TIF, GIF, Encryption, Compression, MIDI, MPEG
• Session
• SSL, NFS, SQL, RPC
• Transport
• TCP, UDP, SPX
• Network
• IP, ICMP, RIP, IGMP, OSPF, BGP
• Data Link
• SLIP, PPP, RARP, L2F, L2TP, ISDN ARP
• Physical
• RS232, SONET, HSSI, X.21

TCP/IP

Protocols

• 1 - ICMP
• 2 - IGMP
• 6 - TCP
• 17 - UDP

General Classes of Network Abuse:

• Class A: Unauthorized access of restricted network services
• Class B: Unauthorized use of a network for non-business purposes.
• Class C: Eavesdropping
• Class D: DOS and other disruptions
• Class E: Network Intrusion
• Class F: Probing

Ethernet

• 10base2: ThinNet. Co-Axial
• 10base5: ThickNet. Co-Axial
• 10baseT: Twisted-pair copper wiring.
• Fast Ethernet: Twister pair wiring.

Token Ring

• 802.5 standard, originally developed by IBM
• Signal travels in a logical ring
• Each computer is connected to a hub called a Multistation Access Unit (MAU)
• 16mbps capacity
• Active Monitor – removes frames that are continually circulating
• Beaconing – attempts to work around errors.

FDDI – 802.8

• Fiber Distributed Data Interface
• Developed by ANSI
• High speed token-passing media access technology
• Speed of 100mbvps – usually used as a backbone network using fiber optics.
• Fault tolerance – second counterrotating ring.
• Can be used up to 100kms, so popular in MANs
• CDDI (copper distributed data interface) is a version that can be used locally.
• 802.8 standard.

Cable Types:

• Co-Axial
• Twisted Pair
• Fiber Optice

TYPES OF TRANSMISSION

• Analog Signals
• Digial Signals
• Asynchronous
• Synchronous
• Baseband
• Broadband
• Unicast
• Multicast
• Broadcast

Network Topology:

• Ring Topology
• Bus Topology
• Star Topology
• Mesh Topology

NETWORKING DEVICES

• Repeaters
• Bridges
• Hubs
• Routers
• Switches
• VLAN
• Brouter
• Gateways
• PBX
• ATM Switch

Firewalls

• Packet Filtering
• Stateful Packer Filtering
• Proxy Firewalls
• Application Level
• Circuit Level
• SOCKS

FIREWALL ARCHITECTURE:

• Bastion Host
• Screened Host
• Screened Subnet

Intranet

Extranet

WAN

MAN

LAN

T1

T3

DS0

DS1

DS3

S/WAN

ADSL

SDSL

HDSL

VDSL

CSU/DSU

Frame Relay

X.25

ISDN

BRI

PRI

VPN

PPTP

L2TP

IPSEC

PPP

PAP, CHAP, EAP, LEAP

RAID

Wireless… (see Rusty's Paper)

Phone Phreakers

• Blue boxing
• Red boxes
• Black boxes