Python Notes for mca i year students osmania university.docx
An introduction to the CISSP certification for self study groups
1. An introduction to the
CISSP certification for
self-study groups
Tomas Ericsson, CISSP-ISSAP
Solutions Architect
Mobile: +46 (0) 70 530 45 32
E-mail: tomas.ericsson@vemendo.se
Twitter: @tomas_ericsson
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
2. Agenda
• Why become a CISSP?
• About (ISC)²
• The Credentialing Process
• The 10 CBK Domains
• Study Resources
• Tips on the way
• Questions and answers
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
3. Why become a CISSP?
• The world changes with growing needs for
security
• Prove that you meet predefined standard of
knowledge and experience
• Broaden your knowledge of security concepts
and practices
• Become more marketable in a competitive
workforce
• Show your dedication to the security
discipline
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
4. About (ISC)²
• A global not-for-profit organization
• Formed in 1989 – First public certification
available in 1995
• Sole purposes – certification and education
in information security
International Information Systems
Security Certification Consortium
• First information security credential
accredited by ANSI ISO/IEC Standard
17024
• Certified thousands of information security
practitioners in over twenty-seven countries
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
5. (ISC)² Certifications
• CISSP
• Certified Information Systems Security
Professional
• CISSP Concentrations
• Information Systems Security Architecture
Professional (ISSAP)
• Information Systems Security Engineering
Professional (ISSEP)
• Information Systems Security Management
Professional (ISSMP)
• CSSLP
• Certified Secure Software Lifecycle Professional
• SSCP
• Systems Security Certified Practitioner
• CAP
• Certified Authorization Professional
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
6. Number of certified professionals
per July 2011*
CISSP-ISSAP
• In Sweden: 4
• World-Wide: 998
CISSP-ISSEP
• In Sweden: 0
• World-Wide: 726
•
CISSP
• In Sweden: 350
• World-Wide: 75 000
•
•
•
CISSP-ISSMP
• In Sweden: 4
• World-Wide: 720
*Source: (ISC)² web site member resources .
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
7. (ISC)² Credentialing Process
• Required Experience
• Minimum of five years full-time working experience in any combination of
two of the CBK domains. Four years if holding a bachelor or masters
degree, or another approved certificate .
• Application
• Validating your education and/or experience
• CISSP Examination
• Passing the exam
• Code of Ethics
• Committing to principles and guidelines set forth by (ISC)2
• Endorsement Process
• Attesting to your eligibility requirements
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
8. Code of Ethics
• Safety of the commonwealth requires
that we adhere to the highest ethical
standards of behavior
• Therefore, strict adherence to this
code is a condition of certification
• Certificate holders will:
• Protect society, the commonwealth,
and the infrastructure
• Act honorably, honestly, justly,
responsibly and legally
• Provide diligent and competent
service to principals
• Advance and protect the profession
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
9. The Exam
• “An inch deep and a mile wide”
• 250 multiple choice questions
• 25 for research purposes
• Some scenario based
• Up to 6 hours to complete and a score of
minimum 70% to pass (700 out of 1000 points).
• Information Security Concepts
• Vendor and product independent
• Measures habitual knowledge, not skill
• Standard English dictionaries are ok to use
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
10. The long wait…
• Finally you receive a mail telling that you have
passed the exam (you will not know the score).
Congratulations!
• If you fail to pass the exam you will receive a mail
with your score. Domains are listed with ranking
from weakest to strongest.
• A small sample group of candidates will be audited
after passing the exam.
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
11. The Endorsement Process
• Next step after passing the exam
• Another CISSP (in good standing)
verifies that you have the
experience you claim to have
• After approval from the (ISC)²
board of directors you will receive
your certificate.
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
12. Maintaining your CISSP certificate
in good standing
• The CISSP certification is valid for
three years
• Remain in Good Standing by:
• Being compliant with (ISC)² Code
of ethics
• Earn 120 Professional Education
Credits (CPEs) during the three
year period
• Pay Annual Maintenance Fees
(AMFs)
• This will qualify you for an examfree recertification
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
13. How you earn CPE credits
• Attending educational courses or
seminars
• Attending security conferences
• Being a member of an association
chapter and attending meetings
• Serving on the board for a
professional security organization
• Volunteering for a government, public
sector and other charitable
organizations, including (ISC)2
volunteer committees
vemendo
grundat
1997
1 CPE = Approx. 1
hour
med ett speciellt öga för kundens affärer
14. How you earn CPE credits (cont.)
• Completing higher academic courses
• Providing security training
• Publishing security articles or books
• Participating in self-study courses,
computer-based training or Web casts
• Reading an information security book or
subscribing to an information security
magazine
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
15. Two types of CPE credits
• Group A
• Group B
• Access Control
• Application Security
• Business Continuity and Disaster
Recovery Planning
• Cryptography
• Information Security and Risk
Management
• Legal, Regulations, Compliance and
Investigations
• Operations Security Team
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network
Security
vemendo
grundat
1997
• Organizational Behavior
• Strategic Planning
• Programming Languages &
Techniques
• Tools and Techniques
• Interpersonal Communications
Skills
• Interviewing Techniques
• Development Skills
• Project Management Skills
In a three year period you need a
minimum of 120 credits of which at
least 80 need to be Group A credits.
med ett speciellt öga för kundens affärer
16. CBK – Common Body of
Knowledge
• A collection of topics relevant to
information security professionals
around the world
• Establishes a common framework of
information security terms and principles
• Review Committee consisting of leading
information security specialists,
educators and practitioners.
• Focus on Confidentiality, integrity and
availability (CIA), and attempts to
balance the three across ten areas of
interest called CBK domains.
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
17. The 10 CISSP CBK Domains
• Access Control
• Application Development Security
• Business Continuity and Disaster Recovery
Planning
• Cryptography
• Information Security Governance and Risk
Management
• Legal, Regulations, Investigations and
Compliance
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
18. CBK Domain #1
Access Control
• Authentication methods, models, and technologies
• Access Control Models
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Non-discretionary Access Control
• Identity Management Solutions
•
•
•
•
vemendo
Directories
Web Access Management
Password Management
SSO
grundat
1997
med ett speciellt öga för kundens affärer
19. CBK Domain #1 (cont.)
Access Control
• Intrusion detection systems
• Network vs. Host-based
• Behavior vs. Signature-based
• Threats to access control practices and
technologies
•
•
•
•
•
Race condition
Brute Force
Dictionary
Social
Rainbow tables
• Accountability, monitoring, and auditing
practices
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
20. CBK Domain #1
Access Control
• Which access control method is user-directed?
A.
B.
C.
D.
Non-discretionary
Mandatory
Identity-based
Discretionary
• Which item is not part of a Kerberos authentication implementation?
A.
B.
C.
D.
vemendo
Message Authentication Code
Ticket granting service
Authentication service
Users, programs, and services
grundat
1997
med ett speciellt öga för kundens affärer
21. CBK Domain #2
Application Development Security
• Various types of software controls and
implementation
• Database concepts and security issues
• Database views
• Aggregation
• Inference
• Software life-cycle development
processes
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
22. CBK Domain #2 (cont.)
Application Development Security
Web Security
• Threats
• Safeguards
• Malicious Software
•
•
•
•
vemendo
Viruses
Worms
Trojan horses
Logic bombs
grundat
1997
med ett speciellt öga för kundens affärer
23. CBK Domain #2
Application Development Security
• Which of the following replicates itself by attaching to other programs?
A.
B.
C.
D.
A worm
A virus
A Trojan horse
Malware
• Database views provide what type of security control?
A.
B.
C.
D.
vemendo
Detective
Corrective
Preventive
Administrative
grundat
1997
med ett speciellt öga för kundens affärer
24. CBK Domain #3
Business Continuity and Disaster Recovery Planning
• Project initiation steps
•
•
•
•
Business Impact Analysis (BIA)
Recovery strategy
Recovery plan
Implementing, testing and maintaining the plan
• Recovery and continuity planning requirements
• Backup alternatives
• Full backup
• Incremental
• Differential
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
25. CBK Domain #3 (cont.)
Business Continuity and Disaster Recovery Planning
• Backup and offsite facilities
•
•
•
•
Hot
Warm
Cold
Reciprocal agreements
• Offsite backups
• Remote journaling
• Electronic vaulting
• Types of drills and tests
•
•
•
•
vemendo
Walk through
Checklist
Simulation
Full Interuption
grundat
1997
med ett speciellt öga för kundens affärer
26. CBK Domain #3
Business Continuity and Disaster Recovery Planning
• What is one of the first steps in developing a business continuity plan?
A. Identify backup solution
B. Decide whether the company needs to perform a walk-through, parallel, or
simulation test
C. Perform a business impact analysis
D. Develop a business resumption plan
• Which best describes a hot-site facility versus a warm- or cold-site
facility?
A.
B.
C.
D.
vemendo
A site that has disk drives, controllers, and tape drives
A site that has all necessary PCs, servers, and telecommunications
A site that has wiring, central air, and raised flooring
A mobile site that can be brought to the company’s parking lot
grundat
1997
med ett speciellt öga för kundens affärer
27. CBK Domain #4
Cryptography
• History of cryptography
• Cryptography components and their
relationships
• Government involvement in cryptography
• Symmetric and asymmetric key algorithms
• Public key infrastructure (PKI) concepts and
mechanisms
•
•
•
•
vemendo
Digital Signatures
Certificates
Certificate Authority (CA)
Registration Authority (RA)
grundat
1997
med ett speciellt öga för kundens affärer
28. CBK Domain #4 (cont.)
Cryptography
• Hashing algorithms and uses
• md2, md4, md5
• SHA-1, SHA-2
• Types of attacks on cryptosystems
•
•
•
•
•
vemendo
Cipher attack
Cryptoanalysis
Known-Plaintext
Replay
…and more
grundat
1997
med ett speciellt öga för kundens affärer
29. CBK Domain #4
Cryptography
• How many bits make up the effective length of the DES key?
A.
B.
C.
D.
56
64
32
16
• If different keys generate the same cipher text for the same message,
what is this called?
A.
B.
C.
D.
vemendo
Collision
Secure hashing
MAC
Key clustering
grundat
1997
med ett speciellt öga för kundens affärer
30. CBK Domain #5
Information Security Governance and Risk Management
• Security management responsibilities
• Difference between administrative,
technical, and physical controls
• Three main security principles
• Confidentiality
• Availability
• Integrity
• Risk management and risk analysis
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
31. CBK Domain #5 (cont.)
Information Security Governance and Risk Management
• Information Security Standards
• ISO 17799
• ISO 27001
• Security policies
• Information classification
• Security awareness training
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
32. CBK Domain #5
Information Security Governance and Risk Management
• What are security policies?
A.
B.
C.
D.
Step-by-step directions on how to accomplish security tasks
General guidelines used to accomplish a specific security level
Broad, high-level statements from the management
Detailed documents explaining how security incidents should be handled
• Which is the most valuable technique when determining if a specific
security control should be implemented?
A.
B.
C.
D.
vemendo
Risk analysis
Cost/ benefit analysis
ALE results
Identifying the vulnerabilities and threats causing the risk
grundat
1997
med ett speciellt öga för kundens affärer
33. CBK Domain #6
Legal, Regulations, Investigations and Compliance
• Computer crimes and computer laws
•
•
•
•
•
Criminal law
Civil law
Intellectual Property Laws
Computer crime laws
Privacy Laws (EU)
• Regulations
•
•
•
•
•
SOX
HIPAA
GLBA
BASEL II
PCI DSS
• Motives and profiles of attackers
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
34. CBK Domain #6 (cont.)
Legal, Regulations, Investigations and Compliance
• Computer crime investigation process
and evidence collection
•
•
•
•
Best evidence
Secondary evidence
Circumstantial evidence
Hearsay evidence
• Incident-handling procedures
• Ethics pertaining to information security
professionals and best practices (Code
of Ethics)
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
35. CBK Domain #6
Legal, Regulations, Investigations and Compliance
• Which of the following would be a violation to (ISC)² code of ethics, and
could cause the candidate to loose his or her certification?
A. E-mailing information or comments about the exam to other CISSP candidates
B. Submitting comments on the questions of the exam to (ISC)²
C. Submitting comments to the board of directors regarding the test and content of the
class
D. Conducting a presentation about the CISSP certification and what the certification
means
• Protecting evidence and providing accountability for who handled it at
different steps during the investigation is referred to as what?
A.
B.
C.
D.
vemendo
The rule of best evidence
Hearsay
Evidence safety
Chain of custody
grundat
1997
med ett speciellt öga för kundens affärer
36. CBK Domain #7
Operations Security
• Administrative management responsibilities
• Organisational roles
• Separation of duties
• Least privilege
• Operations department responsibilities
• Configuration management
• Trusted recovery states
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
37. CBK Domain #7 (cont.)
Operations Security
• Redundancy and fault-tolerant systems
• RAID
• Threats to operations security
•
•
•
•
•
•
•
vemendo
DoS
Man-in-the-middle
Mail bombing
War dialing
Fake login screens
Teardrop
Trafic Analysis
grundat
1997
med ett speciellt öga för kundens affärer
38. CBK Domain #7
Operations Security
• Which of the following best describes operations security?
A. Continual vigilance about hacker activity and possible vulnerabilities
B. Enforcing access control and physical security
C. Taking steps to make sure an environment, and the things within it, stay at a certain
level of protection
D. Doing strategy planning to develop a secure environment and then implementing it
properly
• If sensitive data are stored on a CD-ROM and are no longer needed,
which would be the proper way of disposing of the data?
A.
B.
C.
D.
vemendo
Degaussing
Erasing
Purging
Physical destruction
grundat
1997
med ett speciellt öga för kundens affärer
39. CBK Domain #8
Physical (Environmental) Security
• Administrative, technical, and physical controls
• Facility location, construction, and management
• Physical security risks, threats, and countermeasures
•
•
•
•
vemendo
Natural Environmental
Supply system
Manmade
Politically motivated
grundat
1997
med ett speciellt öga för kundens affärer
40. CBK Domain #8 (cont.)
Physical (Environmental) Security
• Electric power issues and countermeasures
• Fire prevention, detection and suppression
• Fire suppression
• Intrusion detection systems
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
41. CBK Domain #8
Physical (Environmental) Security
• When should a Class C fire extinguisher be used instead of a Class A
fire extinguisher?
A.
B.
C.
D.
When electrical equipment is on fire
When wood and paper are on fire
When a combustible liquid is on fire
When the fire is in an open area
• Which of the following answers contains a category of controls that does
not belong in a physical security program?
A.
B.
C.
D.
vemendo
Deterrence and delaying
Response and detection
Assessment and detection
Delaying and lightning
grundat
1997
med ett speciellt öga för kundens affärer
42. CBK Domain #9
Security Architecture and Design
• Computer hardware and Operating Systems Architecture
• Trusted computing base and security mechanisms
• Hardware
• Software
• Firmware
• Protection mechanisms within an operating system
• Security Perimeter
• Reference Monitor
• Security Kernel
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
43. CBK Domain #9 (cont.)
Security Architecture and Design
•
Security models
• Bell-LaPadula (confidentiality)
• Biba (Integrity)
• Clark Wilson (Integrity)
• Systems Evaluation Methods
• Orange book (TCSEC/ Rainbow series)
• Common Critera
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
44. CBK Domain #9
Security Architecture and Design
• What is the best description of a security kernel from a security point of
view?
A.
B.
C.
D.
Reference monitor
Resource manager
Memory mapper
Security perimeter
• The trusted computing base (TCB) controls which of the following?
A.
B.
C.
D.
vemendo
All trusted processes and software components
All trusted security policies and implementation mechanisms
All trusted software and design mechanisms
All trusted software and hardware components
grundat
1997
med ett speciellt öga för kundens affärer
45. CBK Domain #10
Telecommunications and Network Security
• The OSI model
• TCP/IP and many other protocols
• LAN, WAN, MAN, intranet, and extranet technologies
• Cable types and transmission types
• Communications security management
• Remote access methods and technologies
• Wireless technologies
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
46. CBK Domain #10
Telecommunications and Network Security
• At what layer does a bridge work?
A.
B.
C.
D.
Session
Network
Transport
Data link
• Which of the following proxies cannot make access decisions on
protocol commands?
A.
B.
C.
D.
vemendo
Application
Packet filtering
Circuit
Stateful
grundat
1997
med ett speciellt öga för kundens affärer
47. Study Resources
• All-in-one CISSP Exam Guide
(Shon Harris)
• Including CD-ROM
• Free resources on the Net
• cccure.org
• Discussion forums and groups
• Linkedin
• And don’t forget
• Code of ethics found at the
(ISC)² Web site
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
48. Tips on the way
• Start studying now!
• You will probably need 2-3 months just to
complete the All-in-one exam guide
• Do test exams. Get to know your weakest
domains which will need your attention
before taking the exam.
• Use multiple study resources e.g. books,
eLearning and free test resources on the
net.
• Make sure you have relevant professional
experience
• Prepare for the endorsement process
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
49. Tips on the way (cont.)
• The exam
• Be physically and mentally prepared for the 6
hours, and bring something to drink.
• Read the exam questions carefully, my personal
favorite is to start by excluding the two least likely
answers and the choose the correct answer from
the remaining two.
• Watch the clock. With 250 questions and 6 hours
maximum exam time you have an average of 90
seconds per question.
• Be aware that the exam still contains questions
that you might think has been outdated in the real
world.
• Take short breaks to stretch and relax.
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
50. Summary
• Why become a CISSP?
• About (ISC)²
• The Credentialing Process
• The 10 CBK Domains
• Study Resources
• Tips on the way
vemendo
grundat
1997
med ett speciellt öga för kundens affärer
51. Questions?
Tomas Ericsson, CISSP-ISSAP
Solutions Architect
Mobile: +46 (0) 70 530 45 32
E-mail: tomas.ericsson@vemendo.se
Twitter: @tomas_ericsson
vemendo
grundat
1997
med ett speciellt öga för kundens affärer