Security Management Practices
Session 1
Section A: Introduction
· CD Tour
· Why CISSP?
· Requirements
· Required Domains
Section B: The Security Triangle
· Securing the System
· Confidentiality
· Integrity
· Availability
Section C: Security Management Training
· Security Administration
· Organizational
· Physical Risks
· Human Risks
· Risk Management Terms
· Risk Management Options
· Legal Responsibility
· Risk Assessment Team
Section D: Risk Assessment
· Cost vs. Benefit
· Single Loss Expectancy
· Annual Loss Expectancy
· Calculating Overall Risk
· Pros & Cons
· Qualitative Assessment
· Selecting Controls
Section E: Data Classification
· Classification Criteria
· Data Responsibility
· Commercial Data
· Government Data
Section F: Security Policy
· Security Policy Types
· Standards
· Guidelines
· Procedures
Section G: Job Policies & Training
· Hiring Practices
· Termination Practices
· Job Descriptions
· Job Activities
· Security Awareness
· Tailoring Training |
Access Control Systems & Methodology
Session 1
Section A: Access Control Basics
· Access Control
· Least Privilege
· Accountability
· Physical Access
· Administrative Access
· Logical Access
Section B: Access Control Techniques
· Control Types
· Control Categories
· Security Labels
· Discretionary
· Mandatory
· Nondiscretionary
· Access Control Lists
Section C: Access Control Implementation
· Centralized Authentication
· RADIUS
· TACACS
· Decentralized
· Hybrid Model
Section D: Identification & Authentication
· Phases
· Type 1 Authentication
· Type 2 Authentication
· Type 3 Authentication
· Single Sign-on
· Kerberos
· Kerberos Process
· SESAME
Section E: Attack & Monitor
· Brute Force
· Dictionary
· Denial of Service
· Spoofing
· Man-in-the-Middle
· Monitoring
· Intrusion Detection
· Penetration Testing |
Security Architecture & Models
Session 1
Section A: Organization
· CPU
· RAM
· ROM
· Erasable PROM
· Memory Addressing
· Cache Memory
· Virtual Memory
Section B: Machine Operation
· Hardware/Software
· Machine Types
· Execution Cycle
· Scalar Processors
· CPU Types
· Capabilities
Section C: Operating Modes/Protection Mechanisms
· Operating States
· Operating Modes
· Storage Types
· Layering
· Abstraction
· Least Privilege
· Accountability
· Definitions
Section D: Evaluation Criteria
· Orange Book
· TCSEC
· Other Criteria
· International Criteria
Section E: Security Models
· State Machine Model
· Bell-LaPadula Model
· Biba Model
· Clark-Wilson Model
· Information Flow Model
· Noninterference Model
Section F: Common Flaws & Issues
· Covert Channels
· Initialization State
· Parameter Checking
· Maintenance Hooks
· Programming
· Timing Issues
· EMR |
Operations Security
Session 1
Section A: Administrative Management
· Duty Separation
· Least Access
· Accountability
· Privacy & Protection
· Legal Requirements
· Illegal Activities
Section B: Operation Controls
· Record Attention
· Backups
· Data Removal
· Anti-Virus
· Privileged Functions
· Resource Protection
Section C: Auditing
· Frequency
· Audit Trails
· Audit Reporting
· Sampling
· Retention
Section D: Monitoring
· Categories
· Warning Banners
· Keystroke Monitoring
· Traffic Analysis
· Trend Analysis
· Tools
· Failure Recognition
Section E: Intrusion Detection
· Intrusion Prevention
· IDS Types
· Penetration Testing
· Inappropriate Activity
Section F: Threats & Countermeasures
· Interception
· Human Factors
· Fraud & Theft
· Employee Sabotage
· Disaster Recovery
· Hackers
· Espionage
· Malicious Code |
Business Continuity & Disaster Recovery Planning
Session 1
Section A: BCP Project Scope
· Organization Analysis
· Planning Team
· Resource Requirements
· Legal Requirements
Section B: Business Impact Analysis
· Interruption
· Resource Prioritization
· Continuity Strategy
· BCP Approval
Section C: DRP Planning & Recovery
· Identification
· Crisis Management
· Recovery
· Data Center Alternatives
· More Alternatives
· Processing Agreements
Section D: Recovery Plan
· Emergency Response
· Data Backup
· Backup Types
· Off-Site Storage
· Utilities
· Logistics
· Emergency Services
· Documentation
Section E: Recovery Plan Implementation
· Training
· Checklist Test
· Structured Walk-through
· Simulation Test
· Parallel Test
· Full-Interruption Test |
Telecommunications, Network & Internet Security
Session 1
Section A: OSI Reference Model
· Protocols
· Standards Organization
· OSI Review
· Logical Data Flow
· Physical Data Flow
Section B: OSI Layers
· Application Layer
· Presentation Layer
· Session Layer
· Transport Layer
· Network Layer
· Data Link Layer
· Physical Layer
Section C: Physical Media & LAN Technologies
· Twisted Pair
· Coaxial
· Fiber Optics
· Star Topology
· Bus Topology
· Ring Topology
· Tree Topology
· Mesh Topology
Section D: LANs, WANs, & Remote Access
· Ethernet
· Other Access Methods
· Signaling Types
· Network Types
· Dialup
· ISDN
· DSL
· Wireless/Cable
Section E: Remote Access Security
· VPN
· PPTP
· IPSec
· Connection Security
· User Authentication
· Node Authentication |
Telecommunications, Network & Internet Security
Session 2
Section A: Network Devices
· Hubs
· Bridges
· Switches
· Routers
· Gateways
· Firewalls
Section B: Firewalls
· 1st Generation
· 2nd & 3rd Generation
· 4th & 5th Generation
· Packet-Filtering Router
· Screened-host
· Dual-homed Host
· Screened-subnet
Section C: Security Protocols & Services
· TCP/IP
· Network Layer
· Transport Layer
· Application Layer
· SDLC/HDLC
· Frame Relay
· ISDN
· X.25
Section D: Security Techniques
· Tunneling
· Network Monitors
· Transparency
· Hash Totals
· Email Security
· Facsimile Security
· Voice Communication
Section E: Common Network Attacks
· Network Abuses
· ARP
· DoS/DDoS
· Flooding
· Spoofing
· Spamming
· Eavesdropping
· Sniffers |
Applications & Systems Development
Session 1
Section A: Application Issues
· Software Development
· Application Environments
· Malicious Code
· Agents
· Applets
· Objects
Section B: Databases & Data Warehousing
· Databases
· Relational Database
· Record Identification
· Query Language
· Data Warehouses
· Aggregation
· Interference
· Polyinstantiation
Section C: Data & Information Storage
· Data Handling
· Data Storage
· Virtual Memory
· Information Retrieval
· Knowledge-based Systems
Section D: System Development Controls
· Coding Controls
· Development Life Cycle
· Design
· Certification
· Certification Standards
Section E: Security Development Controls
· Isolation Architecture
· Administration Control
· Design Control
· System Control
· Modes of Operation
· Integrity Levels
· Service Level Agreement
Section F: Malicious Code
· Players
· Viruses
· Virus Types
· OS Vulnerability
· Other Malicious Code
· Anti-virus Protection
Section G: Methods of Attack
· Brute Force
· Social Engineering
· DoS/DDoS
· Spoofing
· Pseudo Flaw
· Buffer Overflows
· TOC/TOU
· Tool Kits |
Cryptography
Session 1 Section A: History & Goals of Cryptography· Ancient History
· Modern History
· Confidentiality
· Integrity
· Authentication
· Non-Repudiation
Section B: Concepts & Methodologies
· Transposition Cipher
· Substitution Cipher
· Cipher Categories
· Cipher Process
· Symmetric Algorithms
· Asymmetric Alogorithms
· Message Authentication
Section C: Cryptographic Algorithms
· DES
· Triple DES
· Other Symmetric Algorithms
· AES
· Asymmetric Algorithms
· Hashing Algorithms
Section D: Cryptographic Practices
· Digital Signatures
· Signature Types
· Key Distribution
· Steganography
· Public Key Infrastructure
Section E: System Architecture
· PEM
· MOSS
· S/MIME
· SSL
· HTTPS
· SET
· IPSEC
· ISAKMP
Section F: Methods of Attack
· Brute Force
· Known Plaintext
· Chosen Ciphertext
· Chose Plaintext
· Meet-in-the-middle
· Man-in-the-middle
· Birthday
· Replay |
Law, Investigations & Ethics
Session 1
Section A: Types of Computer Crime
· Military Attacks
· Business Attacks
· Financial Attacks
· Terrorist Attacks
· Grudge Attacks
· "Fun" Attacks
· Hacking/Cracking
Section B: Categories of Law
· Criminal Law
· Civil Law
· Administrative/Regulatory Law
· Intellectual Property Law
· Trade Secrets
· Copyrights
· Trademarks
· Patents
Section C: Computer Laws
· Technology Threat
· Government Intervention
· Fraud & Abuse Act
· Security Act
· Amended Security Act
· Security Reform Act
· Privacy Acts
· Patriot Act
Section D: Types of Incidents
· Incident Categories
· Scanning Incidents
· Compromise Incidents
· More Compromise Incidents
· Malicious Code Incidents
· DoS Incidents
Section E: Incident Handling
· Knowledge
· Response
· Contain Damage
· Reporting
Section F: Investigation & Evidence
· Evidence Handling
· Evidence Types
· Evidence Admissibility
· Search & Seizure
Section G: Ethics
· Code of Ethics
· Ten Commandments
· RFC 1087
· GASSP |
Physical Security
Session 1
Section A: Physical Security Threats
· Threats
· Threats Continued
· More Threats
Section B: Facility Requirements
· Security Policy
· Critical Path Analysis
· Access Controls
Section C: Physical Security Controls
· Administrative Controls
· Fences/Gates
· Lighting
· Security Guards/Dogs
· Keys/Badges
· Detective Controls/CCTV
· Restriction/Escorts
· Technical Controls
Section D: Environmental Issues
· Power
· HVAC
· Water Leakage/Flooding
· Fire Detection/Suppression
· Natural Disasters |
