Part I: Focused Review of the CISSP Ten Domains.
Download
Report
Transcript Part I: Focused Review of the CISSP Ten Domains.
ISQS 3360
Telecomm Security
John R. Durrett, Ph.D.
Fall 2010
Various Security Videos
Course Overview
Why the CISSP Exam Review
Web Site
Contacting Me
Grading
Why
In CyberWar, China is Just a Skirmish
Sony Rootkit of 2005
Crackers & Open Sources Methods
Schneier on Security
Security News Portal
Current Vulnerabilities
How to Worry About Linux Security
(Linux Journal 8/28/06)
“Worry about a networked system is good,
the trick is to worry about the right things &
to act on our worries”
Folks you should worry about
Weapons you should worry about
Vulnerabilities You Should Worry About
How to channel worries into constructive
action
Folks You Should Worry About
Mostly work you way outward, but
once in awhile look from cracker's
viewpoint
Identity Thieves Resource Thieves
Malicious Code
Vandals
Corporate Spies Stalkers
Not all crackers are remote: INSIDERS
Weapons You Should Worry About
Mid 90's weapon was cracker at PC
(or)
Direct interaction: attacker – victim
Usually correct, sometimes not
Today vast majority are automated
viruses, trojans and worms
botnet:
spammers paid per distribution node
DdoSers, Phishers
Crackers still here but most are “script kiddies”
Vulnerabilities
You Should Worry About
a threat equals an attacker plus some
vulnerability
If a vulnerability cannot be exploited it
does not constitute a risk
No such thing as a completely
invulnerable system but can lower %
Common types of vulnerabilities
Bugs in user-space software (applications)
Bugs in system software
(kernel, drivers/modules, etc.)
Extraneous user accounts
Extraneous software
(with bugs or sloppy/default settings)
Unused security features in applications
Unused security features in the OS
Gullible users
Recipe
to convert worry to action
1. Define system function
Sun Tzu: analyze terrain you need to defend
2. Prioritize types of attacks most likely
3. What data/resources most likely target
4. What vulnerabilities give access to #3
5. How can I lower/remove vulnerability
CISSP
International Information Systems
Security Consortium (ISC)2
Common Body of Knowledge
Ten Domains: created to establish a
common communications platform
CISSP:
NOT THE PURPOSE of THIS COURSE
Ten Domains
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Security Management Practices
Access Control Systems
Telecommunications & Network Security
Cryptography
Security Architecture & Modules
Operations Security
Applications & Systems Development
Business Continuity & Disaster Recovery
Law, Investigation & Politics
Physical Security
Ch 1:
Security Management Practices
Basic Security Concepts
Policies, Standards, Guidelines, &
Procedures
Roles played in security management
Security Awareness
Risk Management
Data & Information Classification
Ch 2:
Access Control Systems
A means of ensuring a system’s C.I.A
(Confidentiality, Integrity, &
Availability)
given the threats, vulnerabilities, &
risks its infrastructure
Ch 3 :
Telecommunications & Network Security
C.I.A. as it applies to Network Security
Protocols & Layered Network Architectures
OSI and TCP/IP
TCP/IP protocol architecture
IP addressing & Routing
TCP
Applications
IPv6
Ch 4 :
Cryptography
Purpose: to protect transmitted
information from being read or
altered by non authorized subjects
Ch 5 :
Security Architecture & Models
“The security architecture of an
information system is fundamental to
enforcing an organization’s
information security policy.”
Ch 6 :
Operations Security
“Controls over the hardware in a
computing facility, over the data
media used, and over the operators
using these resources.”
Controls & Protections needed to insure
CIA
Monitoring & Auditing above Controls
Threats & Vulnerabilities
Ch 7 :
Application & System Development
A very brief overview of the SDLC and
the security issues involved.
Generic Systems Engineering
Waterfall Model, Spiral Model
Cost Estimations Models
Security Components of the Models
Agile Development, AI Systems
Database, BI, & Application Controls
Ch 8 : Business Continuity &
Disaster Recovery Planning
Assumes the Worst Has Happened
Preparation, testing, & updating of actions required to
protect critical business processes from the effects of
major system & network failures
Buss Continuity (BCP)
Disaster Recovery (DRP)
Plan initiation
Planning
Bus. Impact Assess. (BIA)
Testing
Plan Development
Specific Procedures
Ch 9 :
Law, Investigation, & Ethics
What laws apply to computer crimes,
how to determine a crime has
occurred, how to preserve evidenced,
conduct an investigation, & what are
the liabilities.
Ch 10:
Physical Security
“Least sexy of the 10 domains but the
best firewall in the world will not
stand up to a well placed brick.”
Addresses threats, vulnerabilities,
countermeasures to physically protect
org’s resources & sensitive info
Natural disasters
Unauthorized entry and/or theft
“The World is Flat”
by Thomas Friedman
Internet, High bandwidth,
Ubiquitous Global Connectivity
Outsourcing
Education
http://www.thomaslfriedman.com/worldisflat.htm
The Post-American World (The Rise of the Rest)
The next 100 Years: A History of the 21st Century