Fundamentals of Information Systems Security
This book's objective is to have a quick but in-depth review of the topics required to pass the Certified Information Systems Security Professional (CISSP)[1] exam.
Physical (Environmental) Security Challenges
- Threats and Vulnerabilities
- Threat Types
- Vulnerabilities
Site Location
- Site Fabric and Infrastructure
The Layered Defense Model
Physical Considerations
Working with Others to Achieve Physical and Procedural Security
Physical and Procedural Security Methods, Tools, and Techniques
Procedural Controls
Infrastructure Support Systems
Fire Prevention, Detection, and Suppression
Boundary Protection
Building Entry Points
Keys and Locking Systems
Walls, Doors, and Windows
Access Controls
Closed-Circuit Television (CCTV)
Intrusion Detection Systems
Portable Device Security
Asset and Risk Registers
Information Protection and Management Services
- Managed Services
- Audits, Drills, Exercises, and Testing
- Vulnerability and Penetration Tests
- Environmental Crisis
- Maintenance and Service Issues
- Education, Training, and Awareness
- Cloud security
- Security Program
- Security Controls
- The Elements of Security
Core Information Security Principles
- Confidentiality
- Integrity
- Availability
Information Security Management Governance
- Security Governance
- Security Policies, Procedures, Standards, Guidelines, and Baselines
- Organizational Security Models
Organizational Behavior
- Organizational Structure Evolution
- Best Practices
- Security Roles and Responsibilities
- Reporting Model
- Enterprise-wide Security Oversight
Security Awareness, Training, and Education
- Conducting A Formal Security Awareness Training
- Awareness Activities and Methods
Information Risk Management
- Risk Management Concepts
- Risk Handling Strategies
- Risk Assessment/Analysis
Information Classification
- Introduction
- Classification Types
- Guidelines for Information Classification
- Criteria for Information Classification
- Data Classification Procedures
- Classification Controls
Ethics
- Basic Concepts
- Professional Code of Ethics
- Example Topics in Computer Ethics
- Common Computer Ethics Fallacies
- Hacking and Hacktivism
- Access Control Challenges
- Access Control Principles
- Access Control Criteria
- Access Control Practices
Security Principles
Identification Authentication and Authorization
- Identification and Authentication
- Identity Management
Access Control Categories
- Administrative
- Physical
- Technical
Access Control Types
Access Control Threats
- Denial of Service(DoS/DDoS)
- Buffer Overflows
- Malicious Software
- Password Crackers
- Spoofing/Masquerading
- Emanations
- Shoulder Surfing
- Object Reuse
- Data Remanence
- Backdoor/Trapdoor
- Dictionary Attacks
- Bruteforce Attacks
- Social Engineering
Access Control Technologies
- Single Sign-On
- Kerberos
- SESAME
- Security Domain
- Thin Clients
Access Control Models
- Discretionary Access Control
- Mandatory Access Control
- Non Discretionary or Role Based Access Control
- DAC VS MAC VS RBAC
Access Control Techniques
- Rule-Based Access Control
- Constrained User Interface
- Access Control Matrix
- Content Dependent Access Control
- Context Dependent Access Control
Access Control Administration
- Centralized Access Control
- Decentralized Access Control
Access Control Monitoring(IDS/IPS)
- Intrusion Detection Systems
- Intrusion Prevention System
Access Control Assurance
- Basic Concepts
Computer System Architecture
- Central Processing Unit (CPU)
- Storage
- Operating Systems
- Firmware
- Virtual Machines
- Hybrid/Cloud Computing Architecture
Systems Security Architecture
- Security Design Principles
- Trusted Computing Base
Security Models
- Lattice Models
- State Machine Models
- Noninterference Models
- Bell—LaPadula Confidentiality Model
- Biba Integrity Model
- Clark—Wilson Integrity Model
- Access Control Matrix
- Information Flow Models
- Graham—Denning Model
- Harrison—Ruzzo—Ullman Model
- Brewer—Nash (Chinese Wall)
Security Product Evaluation Methods and Criteria
- Rainbow Series
- Information Technology Security Evaluation Criteria (ITSEC)
- Common Criteria
- Certification and Accreditation
Introduction
Core Information Security Principles: Availability, Integrity, Confidentiality (AIC)
Why Continuity Planning?
Reality of Terrorist Attack
Natural Disasters
Internal and External Audit Oversight
Legislative and Regulatory Requirements
Industry and Professional Standards
NFPA 1600
ISO 17799
Defense Security Service (DSS)
National Institute of Standards and Technology (NIST)
Good Business Practice or the Standard of Due Care
Enterprise Continuity Planning and Its Relationship to Business Continuity and Disaster Recovery Planning
Revenue Loss
Extra Expense
Compromised Customer Service
Embarrassment or Loss of Confidence Impact
Hidden Benefits of Continuity Planning
Organization of the BCP/DRP Domain Chapter
Project Initiation Phase
Current State Assessment Phase
Design and Development Phase
Implementation Phase
Management Phase
Project Initiation Phase Description
Project Scope Development and Planning
Executive Management Support
BCP Project Scope and Authorization
Executive Management Leadership and Awareness
Continuity Planning Project Team Organization and Management
Disaster or Disruption Avoidance and Mitigation
Project Initiation Phase Activities and Tasks Work Plan
Current State Assessment Phase Description
Understanding Enterprise Strategy, Goals, and Objectives
Enterprise Business Processes Analysis
People and Organizations
Time Dependencies
Motivation, Risks, and Control Objectives
Budgets
Technical Issues and Constraints
Continuity Planning Process Support Assessment
Threat Assessment
Risk Management
Business Impact Assessment (BIA)
Benchmarking and Peer Review
Sample Current State Assessment Phase Activities and Tasks Work Plan
Development Phase Description
Recovery Strategy Development
Work Plan Development
Develop and Design Recovery Strategies
Data and Software Backup Approaches
DRP Recovery Strategies for IT
BCP Recovery Strategies for Enterprise Business Processes
Developing Continuity Plan Documents and Infrastructure Strategies
Developing Testing/Maintenance/Training Strategies
Plan Development Phase Description
Building Continuity Plans
Contrasting Crisis Management and Continuity Planning Approaches
Building Crisis Management Plans
Testing/Maintenance/Training Development Phase Description
Developing Continuity and Crisis Management Process Training and Awareness Strategies
Sample Phase Activities and Tasks Work Plan
Implementation Phase Description
Analyze CPPT Implementation Work Plans
Program Short- and Long-Term Testing
Continuity Plan Testing (Exercise) Procedure Deployment
Program Training, Awareness, and Education
Emergency Operations Center (EOC)
Management Phase Description
Program Oversight
Continuity Planning Manager Roles and Responsibilities
Terminology
References
Sample Questions
Appendix A: Addressing Legislative Compliance within Business Continuity Plans
HIPAA
GLB
Patriot Act
Other Issues
OCC Banking Circular 177
Introduction
Basic Concepts
Network Models
OSI Reference Model
TCP/IP Model
Network Security Architecture
The Role of the Network in IT Security
Network Security Objectives and Attack Modes
Methodology of an Attack
Network Security Tools
Layer 1: Physical Layer
Concepts and Architecture
Communication Technology
Network Topology
Technology and Implementation
Cable
Twisted Pair
Coaxial Cable
Fiber Optics
Patch Panels
Modems
Wireless Transmission Technologies
Layer 2: Data-Link Layer
Concepts and Architecture
Architecture
Transmission Technologies
Technology and Implementation
Ethernet
Wireless Local Area Networks
Address Resolution Protocol (ARP)
Point-to-Point Protocol (PPP)
Layer 3: Network Layer
Concepts and Architecture
Local Area Network (LAN)
Wide Area Network (WAN) Technologies
Metropolitan Area Network (MAN)
Global Area Network (GAN)
Technology and Implementation
Routers
Firewalls
End Systems
Internet Protocol (IP)
Virtual Private Network (VPN)
Tunneling
Dynamic Host Configuration Protocol (DHCP)
Internet Control Message Protocol (ICMP)
Internet Group Management Protocol (IGMP)
Layer 4: Transport Layer
Concepts and Architecture
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Technology and Implementation
Scanning Techniques
Denial of Service
Layer 5: Session Layer
Concepts and Architecture
Technology and Implementation
Remote Procedure Calls
Directory Services
Access Services
Layer 6: Presentation Layer
Concepts and Architecture
Technology and Implementation
Transport Layer Security (TLS)
Layer 7: Application Layer
Concepts and Architecture
Technology and Implementation
Asynchronous Messaging (E-mail and News)
Instant Messaging
Data Exchange (World Wide Web)
Peer-to-Peer Applications and Protocols
Administrative Services
Remote-Access Services
Information Services
Voice-over-IP (VoIP)
General References
Sample Questions
Endnotes
Domain Description and Introduction
Current Threats and Levels
Application Development Security Outline
Expectation of the CISSP in This Domain
Applications Development and Programming Concepts and Protection
Current Software Environment
Open Source
Full Disclosure
Programming
Process and Elements
The Programming Procedure
The Software Environment
Threats in the Software Environment
Buffer Overflow
Citizen Programmers
Covert Channel
Malicious Software (Malware)
Malformed Input Attacks
Memory Reuse (Object Reuse)
Executable Content/Mobile Code
Social Engineering
Time of Check/Time of Use (TOC/TOU)
Trapdoor/Backdoor
Application Development Security Protections and Controls
System Life Cycle and Systems Development
Systems Development Life Cycle (SDLC)
Software Development Methods
Java Security
Object-Oriented Technology and Programming
Object-Oriented Security
Distributed Object-Oriented Systems
Software Protection Mechanisms
Security Kernels
Processor Privilege States
Security Controls for Buffer Overflows
Controls for Incomplete Parameter Check and Enforcement
Memory Protection
Covert Channel Controls
Cryptography
Password Protection Techniques
Inadequate Granularity of Controls
Control and Separation of Environments
Time of Check/Time of Use (TOC/TOU)
Social Engineering
Backup Controls
Software Forensics
Mobile Code Controls
Programming Language Support
Audit and Assurance Mechanisms
Information Integrity
Information Accuracy
Information Auditing
Certification and Accreditation
Information Protection Management
Change Management
Configuration Management
Malicious Software (Malware)
Malware Types
Viruses
Worms
Hoaxes
Trojans
Remote-Access Trojans (RATs)
DDoS Zombies
Logic Bombs
Spyware and Adware
Pranks
Malware Protection
Scanners
Activity Monitors
Change Detection
Antimalware Policies
Malware Assurance
The Database and Data Warehousing Environment
DBMS Architecture
Hierarchical Database Management Model
Network Database Management Model
Relational Database Management Model
Object-Oriented Database Model
Database Interface Languages
Open Database Connectivity (ODBC)
Java Database Connectivity (JDBC)
eXtensible Markup Language (XML)
Object Linking and Embedding Database (OLE DB)
Accessing Databases through the Internet
Data Warehousing
Metadata
Online Analytical Processing (OLAP)
Data Mining
Database Vulnerabilities and Threats
DBMS Controls
Lock Controls
Other DBMS Access Controls
View-Based Access Controls
Grant and Revoke Access Controls
Security for Object-Oriented (00) Databases
Metadata Controls
Data Contamination Controls
Online Transaction Processing (OLTP)
Knowledge Management
Web Application Environment
Web Application Threats and Protection
Summary
References
Sample Questions
Introduction
Privileged Entity Controls
Operators
Ordinary Users
System Administrators
Security Administrators
File Sensitivity Labels
System Security Characteristics
Clearances
Passwords
Account Characteristics
Security Profiles
Audit Data Analysis and Management
System Accounts
Account Management
Resource Protection
Facilities
Hardware
Software
Documentation
Threats to Operations
Disclosure
Destruction
Interruption and Nonavailability
Corruption and Modification
Theft
Espionage
Hackers and Crackers
Malicious Code
Control Types
Preventative Controls
Detective Controls
Corrective Controls
Directive Controls
Recovery Controls
Deterrent Controls
Compensating Controls
Control Methods
Separation of Responsibilities
Least Privilege
Job Rotation
Need to Know
Security Audits and Reviews
Supervision
Input/Output Controls
Antivirus Management
Media Types and Protection Methods
Object Reuse
Sensitive Media Handling
Marking
Handling
Storing
Destruction
Declassification
Misuse Prevention
Record Retention
Continuity of Operations
Fault Tolerance
Data Protection
Software
Hardware
Communications
Facilities
Problem Management
System Component Failure
Power Failure
Telecommunications Failure
Physical Break-In
Tampering
Production Delay
Input/Output Errors
System Recovery
Intrusion Detection System
Vulnerability Scanning
Business Continuity Planning
Change Control Management
Configuration Management
Production Software
Software Access Control
Change Control Process
Requests
Impact Assessment
Approval/Disapproval
Build and Test
Notification
Implementation
Validation
Documentation
Library Maintenance
Patch Management
Summary
References
Sample Questions
Introduction
Major Legal Systems
Common Law
Criminal Law
Tort Law
Administrative Law
Civil Law
Customary Law
Religious Law
Mixed Law
Information Technology Laws and Regulations
Intellectual Property Laws
Patent
Trademark
Copyright
Trade Secret
Licensing Issues
Privacy
Liability
Computer Crime
International Cooperation
Incident Response
Response Capability
Incident Response and Handling
Triage
Investigative Phase
Containment
Analysis and Tracking
Recovery Phase
Recovery and Repair
Debriefing/Feedback
Computer Forensics
Crime Scene
Digital/Electronic Evidence
General Guidelines
Conclusions
References
Sample Questions
References: