Transcript Part I: Focused Review of the CISSP Ten Domains.

ISQS 3360
Telecomm Security
John R. Durrett, Ph.D.
Fall 2010
Various Security Videos
Course Overview

Why the CISSP Exam Review

Web Site

Contacting Me

Grading
Why







In CyberWar, China is Just a Skirmish
Sony Rootkit of 2005
Data theft at BlueCross
Crackers & Open Sources Methods
Schneier on Security
Security News Portal
Current Vulnerabilities
How to Worry about Linux Security
(Linux Journal 8/28/06)

“Worry about a networked system is good,
the trick is to worry about the right things &
to act on our worries”

Folks you should worry about

Weapons you should worry about

Vulnerabilities You Should Worry About

How to channel worries into constructive
action
Folks You Should Worry About

Mostly work you way outward, but
once in awhile look from cracker's
viewpoint




Identity Thieves Resource Thieves
Malicious Code
Vandals
Corporate Spies Stalkers
Not all crackers are remote: INSIDERS
Weapons You Should Worry About

Mid 90's weapon was cracker at PC
(or)



Direct interaction: attacker – victim
Usually correct, sometimes not
Today vast majority are automated


viruses, trojans and worms
botnet:



spammers paid per distribution node
DdoSers, Phishers
Crackers still here but most are “script kiddies”
Vulnerabilities
You Should Worry About

a threat equals an attacker plus some
vulnerability


If a vulnerability cannot be exploited it
does not constitute a risk
No such thing as a completely
invulnerable system but can lower %
Common types of vulnerabilities




Bugs in user-space software (applications)
Bugs in system software
(kernel, drivers/modules, etc.)
Extraneous user accounts
Extraneous software
(with bugs or sloppy/default settings)

Unused security features in applications

Unused security features in the OS

Gullible users
Recipe
to convert worry to action
1. Define system function
Sun Tzu: analyze terrain you need to defend
2. Prioritize types of attacks most likely
3. What data/resources most likely target
4. What vulnerabilities give access to #3
5. How can I lower/remove vulnerability
CISSP

International Information Systems
Security Consortium (ISC)2


Common Body of Knowledge


https://www.isc2.org/cgi-bin/content.cgi?category=1314
Ten Domains: created to establish a
common communications platform
CISSP:

NOT THE PURPOSE of THIS COURSE
Ten Domains
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Security Management Practices
Access Control Systems
Telecommunications & Network Security
Cryptography
Security Architecture & Modules
Operations Security
Applications & Systems Development
Business Continuity & Disaster Recovery
Law, Investigation & Politics
Physical Security
Ch 1:
Security Management Practices






Basic Security Concepts
Policies, Standards, Guidelines, &
Procedures
Roles played in security management
Security Awareness
Risk Management
Data & Information Classification
Ch 2:
Access Control Systems
A means of ensuring a system’s C.I.A
(Confidentiality, Integrity, &
Availability)
given the threats, vulnerabilities, &
risks its infrastructure
Ch 3 :
Telecommunications & Network Security








C.I.A. as it applies to Network Security
Protocols & Layered Network Architectures
OSI and TCP/IP
TCP/IP protocol architecture
IP addressing & Routing
TCP
Applications
IPv6
Ch 4 :
Cryptography

Purpose: to protect transmitted
information from being read or
altered by non authorized subjects
Ch 5 :
Security Architecture & Models

“The security architecture of an
information system is fundamental to
enforcing an organization’s
information security policy.”
Ch 6 :
Operations Security

“Controls over the hardware in a
computing facility, over the data
media used, and over the operators
using these resources.”



Controls & Protections needed to insure
CIA
Monitoring & Auditing above Controls
Threats & Vulnerabilities
Ch 7 :
Application & System Development

A very brief overview of the SDLC and
the security issues involved.






Generic Systems Engineering
Waterfall Model, Spiral Model
Cost Estimations Models
Security Components of the Models
Agile Development, AI Systems
Database, BI, & Application Controls
Ch 8 : Business Continuity &
Disaster Recovery Planning

Assumes the Worst Has Happened
Preparation, testing, & updating of actions required to
protect critical business processes from the effects of
major system & network failures
Buss Continuity (BCP)
Disaster Recovery (DRP)
Plan initiation
Planning
Bus. Impact Assess. (BIA)
Testing
Plan Development
Specific Procedures
Ch 9 :
Law, Investigation, & Ethics

What laws apply to computer crimes,
how to determine a crime has
occurred, how to preserve evidenced,
conduct an investigation, & what are
the liabilities.
Ch 10:
Physical Security




“Least sexy of the 10 domains but the
best firewall in the world will not
stand up to a well placed brick.”
Addresses threats, vulnerabilities,
countermeasures to physically protect
org’s resources & sensitive info
Natural disasters
Unauthorized entry and/or theft
“The World is Flat”
by Thomas Friedman

Internet, High bandwidth,
Ubiquitous Global Connectivity
Outsourcing
Education

http://www.thomaslfriedman.com/worldisflat.htm

The Post-American World (The Rise of the Rest)

The next 100 Years: A History of the 21st Century


