Certified Information Systems Security Professional Training (CISSP) - Manteshseeders: 34
leechers: 455
Certified Information Systems Security Professional Training (CISSP) - Mantesh (Size: 8.51 GB)
Description [color=Green] Books : Computers and Technology : English Domain 1 - Information Security and Risk Management Information Security and Risk Management Mainframe Days In the Good Old Days –Who Knew? Today’s Environment Security Definitions Vulnerabilities Examples of Some Vulnerabilities that Are Not Always Obvious Risk – What Does It Really Mean? Relationships Who Deals with Risk? Overall Business Risk Who? AIC Triad Availability Integrity Confidentiality Who Is Watching? Social Engineering What Security People Are Really Thinking Security Concepts Security? The Bad Guys Are Motivated If Not Obscurity – Then What? Open Standards Common Open Standards Without Standards “Soft” Controls Logical Controls Physical Controls Are There Gaps? Understanding Drivers Holistic Security Not Always So Easy What Is First? Different Types of Law How Is Liability Determined? Examples of Due Diligence Examples of Due Care Prudent Person Rule Prudent Person Taking the Right Steps Regulations Why Do We Need Regulations? Risk Management Why Is Risk Management Difficult? Necessary Level of Protection Is Different for Each Organization Security Team/Committee Risk Management Process Planning Stage – Team Analysis Paralysis Planning Stage – Scope Planning Stage – Analysis Method Risk Management Tools Defining Acceptable Levels Acceptable Risk Level Collecting and Analyzing Data Methods What Is a Company Asset? Data Collection – Identify Assets Data Collection – Assigning Values Asset Value Data Collection – Identify Threats Data Collection – Calculate Risks Scenario Based – Qualitative Risk Approach Qualitative Analysis Steps Want Real Answers? Qualitative Risk Analysis Ratings Qualitative Risks Quantitative Analysis Steps Quantitative Analysis How Often Will This Happen? ARO Values and Their Meaning Calculate ALE ALE Value Uses Relationships Calculate Risks – ALE Example Your Turn! ALE Calculation Can a Purely Quantitative Analysis Be Accomplished? Risk Types Examples of Types of Losses Delayed Loss Cost/Benefit Analysis Cost of a Countermeasure Cost/Benefit Analysis Countermeasure Criteria Calculating Cost/Benefit Controls Control Selection Requirements Quantitative Analysis Quantitative Analysis Disadvantages Qualitative Analysis Approach Qualitative Analysis Disadvantages Can You Get Rid of All Risk? Calculating Residual Risk Uncertainty Analysis Dealing with Risk Management’s Response to Identified Risks Risk Acceptance Risk Analysis Process Summary Components of Security Program A Layered Approach In Security, You Never Want Any Surprises Building Foundation Security Roadmap Functional and Assurance Requirements Building Foundation Most Organizations Silo Security Structure Islands of Security Needs and Tools Get Out of a Silo Approach Security Is a Process Approach to Security Management Result of Battling Management Industry Best Practices Standards ISO/IEC 17799 Pieces and Parts Numbering New ISO Standards COBIT Inside of COBIT COBIT – Control Objectives Measurements Information Technology Infrastructure Library Security Governance Security Program Components Policy Framework Policy Types Organizational Policy Policy Approved – Now What? Issue-Specific Policies ASP Policy Example System-Specific Policies Standards Standard Example Baseline Data Collection for Metrics Guidelines Procedures Tying Them Together Program Support Entity Relationships Senior Management’s Role Security Roles Custodian Auditor Access Information Classification Information Classification Program Data Leakage Do You Want to End Up in the News? Types of Classification Levels Data Protection Levels Classification Program Steps Information Classification Components Procedures and Guidelines Classification Levels Information Classification Criteria Criteria Example Or Not Information Owner Requirements Clearly Labeled Testing Classification Program Who Is Always Causing Problems? Employee Management Employee Position and Management Hiring and Firing Issues A Few More Items Unfriendly Termination Security Awareness and Training Training Characteristics Awareness Security Enforcement Issues Answer This Question Domain 1 Review Domain 2 - Access Control Domain Objectives Agenda 1 Definitions Access Control Mechanism Examples Technical Controls Administrative Controls Access Control Characteristics Preventive Controls Preventive - Administrative Controls Preventive – Physical Controls Preventive - Technical Controls Control Combinations Detective - Administrative Control Detective Examples Administrating Access Control OS, Application, Database Administrating Access Control Authorization Creep Accountability and Access Control Trusted Path Fake Login Pages Look Convincing Who Are You? Identification Issues Authentication Mechanisms Characteristics Strong Authentication Fraud Controls Internal Control Tool: Separation of Duties Authentication Mechanisms in Use Today Biometrics Technology Biometric Devices Example Verification Steps What a Person Is Why Use Biometrics? Biometric Type Identification or Authentication? Iris Sampling Iris Finger Scan Hand Geometry Facial Recognition Comparison Biometrics Verification Issues Downfalls to Biometric Use Biometrics Error Types Crossover Error Rate Biometric System Types Passwords Password Generators Password “Shoulds” Support Issues Password Attacks Attack Steps Many Tools to Break Your Password Rainbow Table Passwords Should NOT Contain… What’s Left? Countermeasures for Password Cracking Cognitive Passwords One-Time Password Authentication Synchronous Token One Type of Solution Synchronous Steps Administrator Configures Challenge Response Authentication Asynchronous Token Device Asynchronous Steps Challenge Response Authentication Cryptographic Keys Passphrase Authentication Key Protection Memory Cards Memory Card Characteristics Smart Card Characteristics Card Types Smart Card Attacks Software Attack Side Channel Attack Side Channel Data Collection Microprobing Identity Management How Are These Entities Controlled? Some Current Issues Management Typical Chaos Different Identities Identity Management Technologies Directory Component Enterprise Directory Directory Responsibilities Authoritative Sources Meta Directory Directory Interactions Web Access Management Web Access Password Management Legacy Single Sign-On Account Management Systems Provisioning Component Provisioning Not Just Computers Profile Update Working Together Enterprise Directory Identity Management Solution Components Right for Your Company What you need to know Federated Identity Identity Theft Fake Login Tools How Do These Attacks Work? Attempts to Get Your Credentials How Do These Work? Instructional Emails Knowing What You Are Disposing of Is Important Other Examples Another Danger to Be Aware of… Spyware Is Someone Watching You? What Does This Have to Do with My Computer? Sometimes You Know that Software Is Installing on Your System New Spyware Is Being Identified Every Week Spyware Comes in Many Different Forms How to Prevent Spyware Different Technologies Single Sign-on Technology Single Sign-on Directory Services as a Single Sign-on Technology Active Directory Some Technologies Can Combine Services Security Domain Domains of Trust Domain Illustration Thin Clients Example Kerberos as a Single Sign-on Technology Kerberos Components Working Together Pieces and Parts More Components of Kerberos KDC Components Kerberos Steps Tickets Ticket Components Authenticators Steps of Validation Kerberos Security Why Go Through All of this Trouble? Issues Pertaining to Kerberos Kerberos Issues SESAME as a Single Sign-on Technology SESAME Steps for Authentication Combo Models for Access Access Control Models Discretionary Access Control Model ACL Access File Permissions Enforcing a DAC Policy Security Issues Mandatory Access Control Model MAC Enforcement Mechanism – Labels Formal Model Software and Hardware Software and Hardware Guards Where Are They Used? SELinux MAC Versus DAC Role-Based Access Control RBAC Hierarchy RBAC and SoD Acquiring Rights and Permissions Rule-Based Access Control Firewall Example Access Control Matrix Capability Tables User Capability Tables Temporal Access Control Access Control Administration Access Control Methods Centralized Approach Remote Centralized Administration RADIUS RADIUS Steps RADIUS Characteristics TACACS+ Characteristics Diameter Characteristics Diameter Protocol Mobile IP Diameter Architecture Two Pieces AVP Decentralized Access Control Administration Controlling Access to Sensitive Data Protecting Access to System Logs Accountability = Auditing Events Agenda 2 IDS IDS Steps Network IDS Sensors Host IDS Combination Types of IDSs Signature-Based Example Behavior-Based IDS Statistical Anomaly Statistical IDS Protocol Anomaly What Is a Protocol Anomaly? Protocol Anomaly Issues Traffic Anomaly IDS Response Mechanisms Responses to Attacks IDS Issues Intrusion Prevention System Differences Vulnerable IDS Trapping an Intruder Domain 2 Review Domain 3 - Cryptography Objectives Services Provided by Cryptography Cryptographic Definitions Cipher Cryptanalysis A Few More Definitions Need Some More Definitions? Now This Would be Hard Work Symmetric Cryptography – Use of Secret Keys Historical Uses of Symmetric Cryptography – Hieroglyphics Scytale Cipher Substitution Ciphers Simple Substitution Cipher Atbash Simple Substitution Cipher Caesar Cipher Caesar Cipher Example Simple Substitution Cipher ROT13 Historical Uses Polyalphabetic Cipher – Vigenere Cipher Polyalphabetic Substitution Vigenere Algorithm Enigma Machine U-Boats had Enigma Machines Code Book Historical Uses of Symmetric Cryptography – Running Key and Concealment Agenda 1 Transposition Ciphers Key and Algorithm Relationship Does Size Really Matter? It Does with Key Sizes Key space Ways of Breaking Cryptosystems – Brute Force Brute Force Components Ways of Breaking Cryptosystems – Frequency Analysis Strength of a Cryptosystem Do You Know What You are Doing? Developing Cryptographic Solutions In-House Characteristics of Strong Algorithms Open or Closed More Secure? Agenda 2 Types of Ciphers Used Today Type of Symmetric Cipher – Block Cipher S-Boxes Used in Block Ciphers Binary Mathematical Function 1 Type of Symmetric Cipher – Stream Cipher Symmetric Characteristics Initialization Vectors Security Holes Strength of a Stream Cipher Let’s Dive in Deeper Symmetric Key Cryptography Out-of-Band Transmission Symmetric Key Management Issue Symmetric Algorithm Examples Symmetric Downfalls Why? Asymmetric Cryptography Key Functions Public Key Cryptography Advantages Asymmetric Algorithm Disadvantages Confusing Names Symmetric versus Asymmetric Asymmetric Algorithm Examples Questions 1 When to Use Which Key Using the Algorithm Types Together Encryption Steps Receiver's Public Key Is Used to Encrypt the Symmetric Key Receiver’s Private Key Is Used to Decrypt the Symmetric Key Digital Envelope E-mail Security Secret versus Session Keys Asymmetric Algorithms We Will Dive Into Asymmetric Algorithm – Diffie-Hellman Diffie-Hellman Key Agreement Schemes Asymmetric Algorithm – RSA Factoring Large Numbers RSA Operations RSA Key Size El Gamal ECC ECC Benefits Asymmetric Mathematics Asymmetric Security Mathematics Symmetric Ciphers We Will Dive Into Symmetric Algorithms – DES Block Cipher Double DES Evolution of DES Modes of 3DES Encryption Modes Block Cipher Modes – CBC IV and CBC CBC Example Different Modes of Block Ciphers –ECB ECB versus CBC Block Cipher Modes – CFB and OFB CFB and OFB Modes Counter Mode Modes Summary Symmetric Cipher – AES IDEA RC4 RC5 Agenda 3 Data Integrity Hashing Steps Protecting the Integrity of Data Hashing Algorithms Data Integrity Mechanisms Hashing Strength Question 1 Weakness in Using Only Hash Algorithms More Protection in Data Integrity MAC HMAC – Sender HMAC – Receiver Another Look What Services Authentication Types CBC-MAC MAC Using Block Ciphers Integrity? What Services? Question 2 Digital Signatures One More Look 1 U.S. Government Standard What is… Not Giving up the Farm Zero Knowledge Proof Message Integrity Controls Security Issues in Hashing Example of a Birthday Attack Birthday Attack Issues Key Management Key Backup Key Management (Cont.) Key Usage Cryptoperiod M-of-N Key Types Agenda 4 Why Do We Need a PKI? PKI and Its Components Components of PKI PKI PKI Steps RA Roles CA Let’s Walk Through an Example Digital Certificates Certificate Signing the Certificate Verifying the Certificate Trusted CA’s Non-Trusted CA One More Look 2 What Do You Do with a Certificate? Components of PKI, Repository, and CRLs Revoked? CRL Process Different Uses for Certificates Lifecycle of a Certificate Cross Certification PKI and Trust Agenda 5 Historical Uses of Symmetric Cryptography – Vernam Cipher Binary Mathematical Function 2 One-Time Pad in Action One-Time Pad Characteristics Steganography Steganography Utilities Digital Watermarking Link versus End-to-End Encryption End-to-End Encryption Encryption Location Email Standards You Decide Non-Hierarchical Secure Protocols SSL Connection Setup Example - SSL Validating Certificate Secure Protocols (Cont.) SSL and the OSI Model E-Commerce How Are You Doing? Hard the First Times Through Secure Email Standard Agenda 6 Network Layer Protection IPSec Key Management IPSec Handshaking Process VPN Establishment SAs in Use Key Issues Within IPSec Configuration of SA Parameters IPSec Configuration Options IPSec Is a Suite of Protocols AH and ESP Modes IPSec Modes of Operation VPN Establishment (Cont.) Review Questions 2 Attack Types Attacks on Cryptosystems Known-Plaintext Attack Chosen-Plaintext Attack Chosen-Ciphertext Attack Adaptive Attacks Side Channel Attacks Domain 3 Review Domain 4 - Physical Security Objectives Physical Security – Threats Different Types of Threats Categories of Threats Wake Up Call Not Just Hacking Number One Priority Legal Issues Planning Phase Physical Security Program Goals Measurable Results Planning Process Risk Assessment Needs to be Carried Out Deterrence Deterrence Options Delay Another Delay Approach Layered Defense Model Layers of Defense Detection Assessment Response Weak Link in the Chain Part of the Overall Security Program Controls with the Same Goals Agenda 1 Threat Categories Crime Prevention through Environmental Design Crux of Approach Protection Built In CPTED Examples Natural Access Control Access Control CPTED Main Strategies Target Hardening Access Barriers Facility Site Selection Urban Camouflage Facility Construction Earthquake Protection Construction Materials Rebar Encased in Concrete Pentagon with Reinforcements Fire Resistance Walls Data Center Data Center Protection Designing a Secure Site Levels of Protection Door Types Hollow-Core Doors Solid Core Doors Bullet Proof Door Door Component Door Lock Types Window Types Controlling Access Sensitive Areas Possible Threats Security Zones Various Sensors Lock Types Controlling Keys Smart Locks Lock Picking Entry Access Control Facility Access Wireless Proximity Devices Device Types Piggybacking Entrance Protection Mantraps Door Configurations External Boundary Protection Perimeter Protection – Fencing Detection Fencing Detecting Intruders Fencing Characteristics Fencing Issues Gates What Level of Protection is Needed? Bollards Perimeter Protection – Lighting Properly Laid Out Lighting Issues Perimeter Security – Security Guards Guard Tasks Security Guards Monitoring Level of Detail that is Required CCTV Items to Consider about CCTVs CCTV Components CCTV Lens Types CCTV Components (Cont.) Agenda 2 Types of Physical Intrusion Related Torrents
Sharing Widget |
All Comments