Fundamentals of Information Systems Security

From Wikibooks, open books for an open world
Jump to: navigation, search

This book's objective is to have a quick but in-depth review of the topics required to pass the Certified Information Systems Security Professional (CISSP)[1] exam.

Physical and Environmental Security[edit]

Physical (Environmental) Security Challenges

  • Threats and Vulnerabilities
  • Threat Types
  • Vulnerabilities

Site Location

  • Site Fabric and Infrastructure

The Layered Defense Model

Physical Considerations

Working with Others to Achieve Physical and Procedural Security

Physical and Procedural Security Methods, Tools, and Techniques

Procedural Controls

Infrastructure Support Systems

Fire Prevention, Detection, and Suppression

Boundary Protection

Building Entry Points

Keys and Locking Systems

Walls, Doors, and Windows

Access Controls

Closed-Circuit Television (CCTV)

Intrusion Detection Systems

Portable Device Security

Asset and Risk Registers

Information Protection and Management Services

  • Managed Services
  • Audits, Drills, Exercises, and Testing
  • Vulnerability and Penetration Tests
  • Maintenance and Service Issues
  • Education, Training, and Awareness

Information Security and Risk Management[edit]

  • Security Program
  • Security Controls
  • The Elements of Security

Core Information Security Principles

  • Confidentiality
  • Integrity
  • Availability

Information Security Management Governance

  • Security Governance
  • Security Policies, Procedures, Standards, Guidelines, and Baselines
  • Organizational Security Models

Organizational Behavior

  • Organizational Structure Evolution
  • Best Practices
  • Security Roles and Responsibilities
  • Reporting Model
  • Enterprise-wide Security Oversight

Security Awareness, Training, and Education

  • Conducting A Formal Security Awareness Training
  • Awareness Activities and Methods

Information Risk Management

  • Risk Management Concepts
  • Risk Handling Strategies
  • Risk Assessment/Analysis

Information Classification

  • Introduction
  • Classification Types
  • Guidelines for Information Classification
  • Criteria for Information Classification
  • Data Classification Procedures
  • Classification Controls

Ethics

  • Basic Concepts
  • Professional Code of Ethics
  • Example Topics in Computer Ethics
  • Common Computer Ethics Fallacies
  • Hacking and Hacktivism

Access Control Systems[edit]

  • Access Control Challenges
  • Access Control Principles
  • Access Control Criteria
  • Access Control Practices

Security Principles

Identification Authentication and Authorization

  • Identification and Authentication
  • Identity Management

Access Control Categories

  • Administrative
  • Physical
  • Technical

Access Control Types

Access Control Threats

  • Denial of Service(DoS/DDoS)
  • Buffer Overflows
  • Malicious Software
  • Password Crackers
  • Spoofing/Masquerading
  • Emanations
  • Shoulder Surfing
  • Object Reuse
  • Data Remanence
  • Backdoor/Trapdoor
  • Dictionary Attacks
  • Bruteforce Attacks
  • Social Engineering

Access Control Technologies

  • Single Sign-On
  • Kerberos
  • SESAME
  • Security Domain
  • Thin Clients

Access Control Models

  • Discretionary Access Control
  • Mandatory Access Control
  • Non Discretionary or Role Based Access Control
  • DAC VS MAC VS RBAC

Access Control Techniques

  • Rule-Based Access Control
  • Constrained User Interface
  • Access Control Matrix
  • Content Dependent Access Control
  • Context Dependent Access Control

Access Control Administration

  • Centralized Access Control
  • Decentralized Access Control

Access Control Monitoring(IDS/IPS)

  • Intrusion Detection Systems
  • Intrusion Prevention System

Access Control Assurance

  • Basic Concepts

Cryptography[edit]

Security Architecture and Design[edit]

Computer System Architecture

  • Central Processing Unit (CPU)
  • Storage
  • Operating Systems
  • Firmware
  • Virtual Machines

Systems Security Architecture

  • Security Design Principles
  • Trusted Computing Base

Security Models

  • Lattice Models
  • State Machine Models
  • Noninterference Models
  • Bell—LaPadula Confidentiality Model
  • Biba Integrity Model
  • Clark—Wilson Integrity Model
  • Access Control Matrix
  • Information Flow Models
  • Graham—Denning Model
  • Harrison—Ruzzo—Ullman Model
  • Brewer—Nash (Chinese Wall)

Security Product Evaluation Methods and Criteria

  • Rainbow Series
  • Information Technology Security Evaluation Criteria (ITSEC)
  • Common Criteria
  • Certification and Accreditation

Business Continuity and Disaster Recovery Planning[edit]

Introduction

Core Information Security Principles: Availability, Integrity, Confidentiality (AIC)

Why Continuity Planning?

Reality of Terrorist Attack

Natural Disasters

Internal and External Audit Oversight

Legislative and Regulatory Requirements

Industry and Professional Standards

NFPA 1600

ISO 17799

Defense Security Service (DSS)

National Institute of Standards and Technology (NIST)

Good Business Practice or the Standard of Due Care

Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning

Revenue Loss

Extra Expense

Compromised Customer Service

Embarrassment or Loss of Confidence Impact

Hidden Benefits of Continuity Planning

Organization of the BCP/DRP Domain Chapter

Project Initiation Phase

Current State Assessment Phase

Design and Development Phase

Implementation Phase

Management Phase

Project Initiation Phase Description

Project Scope Development and Planning

Executive Management Support

BCP Project Scope and Authorization

Executive Management Leadership and Awareness

Continuity Planning Project Team Organization and Management

Disaster or Disruption Avoidance and Mitigation

Project Initiation Phase Activities and Tasks Work Plan

Current State Assessment Phase Description

Understanding Enterprise Strategy, Goals, and Objectives

Enterprise Business Processes Analysis

People and Organizations

Time Dependencies

Motivation, Risks, and Control Objectives

Budgets

Technical Issues and Constraints

Continuity Planning Process Support Assessment

Threat Assessment

Risk Management

Business Impact Assessment (BIA)

Benchmarking and Peer Review

Sample Current State Assessment Phase Activities and Tasks Work Plan

Development Phase Description

Recovery Strategy Development

Work Plan Development

Develop and Design Recovery Strategies

Data and Software Backup Approaches

DRP Recovery Strategies for IT

BCP Recovery Strategies for Enterprise Business Processes

Developing Continuity Plan Documents and Infrastructure Strategies

Developing Testing/Maintenance/Training Strategies

Plan Development Phase Description

Building Continuity Plans

Contrasting Crisis Management and Continuity Planning Approaches

Building Crisis Management Plans

Testing/Maintenance/Training Development Phase Description

Developing Continuity and Crisis Management Process Training and Awareness Strategies

Sample Phase Activities and Tasks Work Plan

Implementation Phase Description

Analyze CPPT Implementation Work Plans

Program Short- and Long-Term Testing

Continuity Plan Testing (Exercise) Procedure Deployment

Program Training, Awareness, and Education

Emergency Operations Center (EOC)

Management Phase Description

Program Oversight

Continuity Planning Manager Roles and Responsibilities

Terminology

References

Sample Questions

Appendix A: Addressing Legislative Compliance within Business Continuity Plans

HIPAA

GLB

Patriot Act

Other Issues

OCC Banking Circular 177

Telecommunications and Network Security[edit]

Introduction

Basic Concepts

Network Models

OSI Reference Model

TCP/IP Model

Network Security Architecture

The Role of the Network in IT Security

Network Security Objectives and Attack Modes

Methodology of an Attack

Network Security Tools

Layer 1: Physical Layer

Concepts and Architecture

Communication Technology

Network Topology

Technology and Implementation

Cable

Twisted Pair

Coaxial Cable

Fiber Optics

Patch Panels

Modems

Wireless Transmission Technologies

Layer 2: Data-Link Layer

Concepts and Architecture

Architecture

Transmission Technologies

Technology and Implementation

Ethernet

Wireless Local Area Networks

Address Resolution Protocol (ARP)

Point-to-Point Protocol (PPP)

Layer 3: Network Layer

Concepts and Architecture

Local Area Network (LAN)

Wide Area Network (WAN) Technologies

Metropolitan Area Network (MAN)

Global Area Network (GAN)

Technology and Implementation

Routers

Firewalls

End Systems

Internet Protocol (IP)

Virtual Private Network (VPN)

Tunneling

Dynamic Host Configuration Protocol (DHCP)

Internet Control Message Protocol (ICMP)

Internet Group Management Protocol (IGMP)

Layer 4: Transport Layer

Concepts and Architecture

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Technology and Implementation

Scanning Techniques

Denial of Service

Layer 5: Session Layer

Concepts and Architecture

Technology and Implementation

Remote Procedure Calls

Directory Services

Access Services

Layer 6: Presentation Layer

Concepts and Architecture

Technology and Implementation

Transport Layer Security (TLS)

Layer 7: Application Layer

Concepts and Architecture

Technology and Implementation

Asynchronous Messaging (E-mail and News)

Instant Messaging

Data Exchange (World Wide Web)

Peer-to-Peer Applications and Protocols

Administrative Services

Remote-Access Services

Information Services

Voice-over-IP (VoIP)

General References

Sample Questions

Endnotes

Application Security[edit]

Domain Description and Introduction

Current Threats and Levels

Application Development Security Outline

Expectation of the CISSP in This Domain

Applications Development and Programming Concepts and Protection

Current Software Environment

Open Source

Full Disclosure

Programming

Process and Elements

The Programming Procedure

The Software Environment

Threats in the Software Environment

Buffer Overflow

Citizen Programmers

Covert Channel

Malicious Software (Malware)

Malformed Input Attacks

Memory Reuse (Object Reuse)

Executable Content/Mobile Code

Social Engineering

Time of Check/Time of Use (TOC/TOU)

Trapdoor/Backdoor

Application Development Security Protections and Controls

System Life Cycle and Systems Development

Systems Development Life Cycle (SDLC)

Software Development Methods

Java Security

Object-Oriented Technology and Programming

Object-Oriented Security

Distributed Object-Oriented Systems

Software Protection Mechanisms

Security Kernels

Processor Privilege States

Security Controls for Buffer Overflows

Controls for Incomplete Parameter Check and Enforcement

Memory Protection

Covert Channel Controls

Cryptography

Password Protection Techniques

Inadequate Granularity of Controls

Control and Separation of Environments

Time of Check/Time of Use (TOC/TOU)

Social Engineering

Backup Controls

Software Forensics

Mobile Code Controls

Programming Language Support

Audit and Assurance Mechanisms

Information Integrity

Information Accuracy

Information Auditing

Certification and Accreditation

Information Protection Management

Change Management

Configuration Management

Malicious Software (Malware)

Malware Types

Viruses

Worms

Hoaxes

Trojans

Remote-Access Trojans (RATs)

DDoS Zombies

Logic Bombs

Spyware and Adware

Pranks

Malware Protection

Scanners

Activity Monitors

Change Detection

Antimalware Policies

Malware Assurance

The Database and Data Warehousing Environment

DBMS Architecture

Hierarchical Database Management Model

Network Database Management Model

Relational Database Management Model

Object-Oriented Database Model

Database Interface Languages

Open Database Connectivity (ODBC)

Java Database Connectivity (JDBC)

eXtensible Markup Language (XML)

Object Linking and Embedding Database (OLE DB)

Accessing Databases through the Internet

Data Warehousing

Metadata

Online Analytical Processing (OLAP)

Data Mining

Database Vulnerabilities and Threats

DBMS Controls

Lock Controls

Other DBMS Access Controls

View-Based Access Controls

Grant and Revoke Access Controls

Security for Object-Oriented (00) Databases

Metadata Controls

Data Contamination Controls

Online Transaction Processing (OLTP)

Knowledge Management

Web Application Environment

Web Application Threats and Protection

Summary

References

Sample Questions

Operations Security[edit]

Introduction

Privileged Entity Controls

Operators

Ordinary Users

System Administrators

Security Administrators

File Sensitivity Labels

System Security Characteristics

Clearances

Passwords

Account Characteristics

Security Profiles

Audit Data Analysis and Management

System Accounts

Account Management

Resource Protection

Facilities

Hardware

Software

Documentation

Threats to Operations

Disclosure

Destruction

Interruption and Nonavailability

Corruption and Modification

Theft

Espionage

Hackers and Crackers

Malicious Code

Control Types

Preventative Controls

Detective Controls

Corrective Controls

Directive Controls

Recovery Controls

Deterrent Controls

Compensating Controls

Control Methods

Separation of Responsibilities

Least Privilege

Job Rotation

Need to Know

Security Audits and Reviews

Supervision

Input/Output Controls

Antivirus Management

Media Types and Protection Methods

Object Reuse

Sensitive Media Handling

Marking

Handling

Storing

Destruction

Declassification

Misuse Prevention

Record Retention

Continuity of Operations

Fault Tolerance

Data Protection

Software

Hardware

Communications

Facilities

Problem Management

System Component Failure

Power Failure

Telecommunications Failure

Physical Break-In

Tampering

Production Delay

Input/Output Errors

System Recovery

Intrusion Detection System

Vulnerability Scanning

Business Continuity Planning

Change Control Management

Configuration Management

Production Software

Software Access Control

Change Control Process

Requests

Impact Assessment

Approval/Disapproval

Build and Test

Notification

Implementation

Validation

Documentation

Library Maintenance

Patch Management

Summary

References

Sample Questions

Legal, Regulations, Compliance and Investigations[edit]

Introduction

Major Legal Systems

Common Law

Criminal Law

Tort Law

Administrative Law

Civil Law

Customary Law

Religious Law

Mixed Law

Information Technology Laws and Regulations

Intellectual Property Laws

Patent

Trademark

Copyright

Trade Secret

Licensing Issues

Privacy

Liability

Computer Crime

International Cooperation

Incident Response

Response Capability

Incident Response and Handling

Triage

Investigative Phase

Containment

Analysis and Tracking

Recovery Phase

Recovery and Repair

Debriefing/Feedback

Computer Forensics

Crime Scene

Digital/Electronic Evidence

General Guidelines

Conclusions

References

Sample Questions

References:

  1. https://www.isc2.org/