an introduction to the cissp certification for self study groups

v e m e n d o g r u n d a t 1 9 9 7 m e d e t t s p e c i e l l t ö g a f ö r k u n d e n s a f f ä r e r

An introduction to the

CISSP certification for

self-study groups

Tomas Ericsson, CISSP-ISSAP

Solutions Architect

Mobile: +46 (0) 70 530 45 32

E-mail: [email protected]

Twitter: @tomas_ericsson


Agenda

• Why become a CISSP?

• About (ISC)²

• The Credentialing Process

• The 10 CBK Domains

• Study Resources

• Tips on the way

• Questions and answers


Why become a CISSP?

• The world changes with growing needs for security

• Prove that you meet predefined standard of knowledge and experience

• Broaden your knowledge of security concepts and practices

• Become more marketable in a competitive workforce

• Show your dedication to the security discipline


About (ISC)²

• A global not-for-profit organization

• Formed in 1989 – First public certification available in 1995

• Sole purposes – certification and education in information security

• First information security credential accredited by ANSI ISO/IEC Standard 17024

• Certified thousands of information security practitioners in over twenty-seven countries

International Information Systems

Security Certification Consortium


(ISC)² Certifications

• CISSP

• Certified Information Systems Security

Professional

• CISSP Concentrations

• Information Systems Security Architecture

Professional (ISSAP)

• Information Systems Security Engineering

Professional (ISSEP)

• Information Systems Security Management

Professional (ISSMP)

• CSSLP

• Certified Secure Software Lifecycle Professional

• SSCP

• Systems Security Certified Practitioner

• CAP

• Certified Authorization Professional


Number of certified professionals

per July 2011*• CISSP

• In Sweden: 350

• World-Wide: 75 000

• CISSP-ISSAP

• In Sweden: 4

• World-Wide: 998

• CISSP-ISSEP

• In Sweden: 0

• World-Wide: 726

• CISSP-ISSMP

• In Sweden: 4

• World-Wide: 720

*Source: (ISC)² web site member resources .


(ISC)² Credentialing Process

• Required Experience• Minimum of five years full-time working experience in any combination of

two of the CBK domains. Four years if holding a bachelor or masters

degree, or another approved certificate .

• Application• Validating your education and/or experience

• CISSP Examination• Passing the exam

• Code of Ethics• Committing to principles and guidelines set forth by (ISC)2

• Endorsement Process• Attesting to your eligibility requirements


Code of Ethics

• Safety of the commonwealth requires that we adhere to the highest ethical standards of behavior

• Therefore, strict adherence to this code is a condition of certification

• Certificate holders will:

• Protect society, the commonwealth, and the infrastructure

• Act honorably, honestly, justly, responsibly and legally

• Provide diligent and competent service to principals

• Advance and protect the profession


The Exam

• “An inch deep and a mile wide”

• 250 multiple choice questions

• 25 for research purposes

• Some scenario based

• Up to 6 hours to complete and a score of

minimum 70% to pass (700 out of 1000 points).

• Information Security Concepts

• Vendor and product independent

• Measures habitual knowledge, not skill

• Standard English dictionaries are ok to use


The long wait…

• Finally you receive a mail telling that you have

passed the exam (you will not know the score).

Congratulations!

• If you fail to pass the exam you will receive a mail

with your score. Domains are listed with ranking

from weakest to strongest.

• A small sample group of candidates will be audited

after passing the exam.


The Endorsement Process

• Next step after passing the exam

• Another CISSP (in good standing)

verifies that you have the

experience you claim to have

• After approval from the (ISC)²

board of directors you will receive

your certificate.


Maintaining your CISSP certificate

in good standing• The CISSP certification is valid for

three years

• Remain in Good Standing by:

• Being compliant with (ISC)² Code of ethics

• Earn 120 Professional Education Credits (CPEs) during the three year period

• Pay Annual Maintenance Fees (AMFs)

• This will qualify you for an exam-free recertification


How you earn CPE credits

• Attending educational courses or

seminars

• Attending security conferences

• Being a member of an association

chapter and attending meetings

• Serving on the board for a

professional security organization

• Volunteering for a government, public

sector and other charitable

organizations, including (ISC)2

volunteer committees

1 CPE = Approx. 1

hour


How you earn CPE credits (cont.)

• Completing higher academic courses

• Providing security training

• Publishing security articles or books

• Participating in self-study courses,

computer-based training or Web casts

• Reading an information security book or

subscribing to an information security

magazine


Two types of CPE credits

• Group A

• Access Control

• Application Security

• Business Continuity and Disaster

Recovery Planning

•Cryptography

• Information Security and Risk

Management

• Legal, Regulations, Compliance and

Investigations

•Operations Security Team

• Physical (Environmental) Security

• Security Architecture and Design

• Telecommunications and Network

Security

• Group B

•Organizational Behavior

• Strategic Planning

• Programming Languages &

Techniques

• Tools and Techniques

• Interpersonal Communications

Skills

• Interviewing Techniques

•Development Skills

• Project Management Skills

In a three year period you need a

minimum of 120 credits of which at

least 80 need to be Group A credits.


CBK – Common Body of

Knowledge• A collection of topics relevant to

information security professionals around the world

• Establishes a common framework of information security terms and principles

• Review Committee consisting of leading information security specialists, educators and practitioners.

• Focus on Confidentiality, integrity and availability (CIA), and attempts to balance the three across ten areas of interest called CBK domains.


The 10 CISSP CBK Domains

• Access Control

• Application Development Security

• Business Continuity and Disaster Recovery

Planning

• Cryptography

• Information Security Governance and Risk

Management

• Legal, Regulations, Investigations and

Compliance

• Operations Security

• Physical (Environmental) Security

• Security Architecture and Design

• Telecommunications and Network Security


CBK Domain #1Access Control

• Authentication methods, models, and technologies

• Access Control Models

• Discretionary Access Control (DAC)

• Mandatory Access Control (MAC)

• Non-discretionary Access Control

• Identity Management Solutions• Directories

• Web Access Management

• Password Management

• SSO


CBK Domain #1 (cont.)Access Control

• Intrusion detection systems

• Network vs. Host-based

• Behavior vs. Signature-based

• Threats to access control practices and

technologies

• Race condition

• Brute Force

• Dictionary

• Social

• Rainbow tables

• Accountability, monitoring, and auditing

practices


CBK Domain #1Access Control

• Which access control method is user-directed?

A. Non-discretionary

B. Mandatory

C. Identity-based

D. Discretionary

• Which item is not part of a Kerberos authentication implementation?

A. Message Authentication Code

B. Ticket granting service

C. Authentication service

D. Users, programs, and services


CBK Domain #2Application Development Security

• Various types of software controls and

implementation

• Database concepts and security issues

• Database views

• Aggregation

• Inference

• Software life-cycle development

processes


CBK Domain #2 (cont.)Application Development Security

Web Security

• Threats

• Safeguards

• Malicious Software

• Viruses

• Worms

• Trojan horses

• Logic bombs


CBK Domain #2Application Development Security

• Which of the following replicates itself by attaching to other programs?

A. A worm

B. A virus

C. A Trojan horse

D. Malware

• Database views provide what type of security control?

A. Detective

B. Corrective

C. Preventive

D. Administrative


CBK Domain #3Business Continuity and Disaster Recovery Planning

• Project initiation steps

• Business Impact Analysis (BIA)

• Recovery strategy

• Recovery plan

• Implementing, testing and maintaining the plan

• Recovery and continuity planning requirements

• Backup alternatives

• Full backup

• Incremental

• Differential


CBK Domain #3 (cont.)Business Continuity and Disaster Recovery Planning

• Backup and offsite facilities

• Hot

• Warm

• Cold

• Reciprocal agreements

• Offsite backups

• Remote journaling

• Electronic vaulting

• Types of drills and tests

• Walk through

• Checklist

• Simulation

• Full Interuption


CBK Domain #3Business Continuity and Disaster Recovery Planning

• What is one of the first steps in developing a business continuity plan?

A. Identify backup solution

B. Decide whether the company needs to perform a walk-through, parallel, or

simulation test

C. Perform a business impact analysis

D. Develop a business resumption plan

• Which best describes a hot-site facility versus a warm- or cold-site

facility?

A. A site that has disk drives, controllers, and tape drives

B. A site that has all necessary PCs, servers, and telecommunications

C. A site that has wiring, central air, and raised flooring

D. A mobile site that can be brought to the company’s parking lot


CBK Domain #4Cryptography

• History of cryptography

• Cryptography components and their relationships

• Government involvement in cryptography

• Symmetric and asymmetric key algorithms

• Public key infrastructure (PKI) concepts and mechanisms

• Digital Signatures

• Certificates

• Certificate Authority (CA)

• Registration Authority (RA)


CBK Domain #4 (cont.)Cryptography

• Hashing algorithms and uses

• md2, md4, md5

• SHA-1, SHA-2

• Types of attacks on cryptosystems

• Cipher attack

• Cryptoanalysis

• Known-Plaintext

• Replay

• …and more


CBK Domain #4Cryptography

• How many bits make up the effective length of the DES key?

A. 56

B. 64

C. 32

D. 16

• If different keys generate the same cipher text for the same message,

what is this called?

A. Collision

B. Secure hashing

C. MAC

D. Key clustering


CBK Domain #5Information Security Governance and Risk Management

• Security management responsibilities

• Difference between administrative,

technical, and physical controls

• Three main security principles

• Confidentiality

• Availability

• Integrity

• Risk management and risk analysis


CBK Domain #5 (cont.)Information Security Governance and Risk Management

• Information Security Standards

• ISO 17799

• ISO 27001

• Security policies

• Information classification

• Security awareness training


CBK Domain #5Information Security Governance and Risk Management

• What are security policies?

A. Step-by-step directions on how to accomplish security tasks

B. General guidelines used to accomplish a specific security level

C. Broad, high-level statements from the management

D. Detailed documents explaining how security incidents should be handled

• Which is the most valuable technique when determining if a specific

security control should be implemented?

A. Risk analysis

B. Cost/ benefit analysis

C. ALE results

D. Identifying the vulnerabilities and threats causing the risk


CBK Domain #6Legal, Regulations, Investigations and Compliance

• Computer crimes and computer laws

• Criminal law

• Civil law

• Intellectual Property Laws

• Computer crime laws

• Privacy Laws (EU)

• Regulations

• SOX

• HIPAA

• GLBA

• BASEL II

• PCI DSS

• Motives and profiles of attackers


CBK Domain #6 (cont.)Legal, Regulations, Investigations and Compliance

• Computer crime investigation process

and evidence collection

• Best evidence

• Secondary evidence

• Circumstantial evidence

• Hearsay evidence

• Incident-handling procedures

• Ethics pertaining to information security

professionals and best practices (Code

of Ethics)


CBK Domain #6Legal, Regulations, Investigations and Compliance

• Which of the following would be a violation to (ISC)² code of ethics, and

could cause the candidate to loose his or her certification?

A. E-mailing information or comments about the exam to other CISSP candidates

B. Submitting comments on the questions of the exam to (ISC)²

C. Submitting comments to the board of directors regarding the test and content of the

class

D. Conducting a presentation about the CISSP certification and what the certification

means

• Protecting evidence and providing accountability for who handled it at

different steps during the investigation is referred to as what?

A. The rule of best evidence

B. Hearsay

C. Evidence safety

D. Chain of custody


CBK Domain #7Operations Security

• Administrative management responsibilities

• Organisational roles

• Separation of duties

• Least privilege

• Operations department responsibilities

• Configuration management

• Trusted recovery states


CBK Domain #7 (cont.)Operations Security

• Redundancy and fault-tolerant systems

• RAID

• Threats to operations security

• DoS

• Man-in-the-middle

• Mail bombing

• War dialing

• Fake login screens

• Teardrop

• Trafic Analysis


CBK Domain #7Operations Security

• Which of the following best describes operations security?

A. Continual vigilance about hacker activity and possible vulnerabilities

B. Enforcing access control and physical security

C. Taking steps to make sure an environment, and the things within it, stay at a certain

level of protection

D. Doing strategy planning to develop a secure environment and then implementing it

properly

• If sensitive data are stored on a CD-ROM and are no longer needed,

which would be the proper way of disposing of the data?

A. Degaussing

B. Erasing

C. Purging

D. Physical destruction


CBK Domain #8Physical (Environmental) Security

• Administrative, technical, and physical controls

• Facility location, construction, and management

• Physical security risks, threats, and countermeasures

• Natural Environmental

• Supply system

• Manmade

• Politically motivated


CBK Domain #8 (cont.)Physical (Environmental) Security

• Electric power issues and countermeasures

• Fire prevention, detection and suppression

• Fire suppression

• Intrusion detection systems


CBK Domain #8Physical (Environmental) Security

• When should a Class C fire extinguisher be used instead of a Class A

fire extinguisher?

A. When electrical equipment is on fire

B. When wood and paper are on fire

C. When a combustible liquid is on fire

D. When the fire is in an open area

• Which of the following answers contains a category of controls that does

not belong in a physical security program?

A. Deterrence and delaying

B. Response and detection

C. Assessment and detection

D. Delaying and lightning


CBK Domain #9Security Architecture and Design

• Computer hardware and Operating Systems Architecture

• Trusted computing base and security mechanisms

• Hardware

• Software

• Firmware

• Protection mechanisms within an operating system

• Security Perimeter

• Reference Monitor

• Security Kernel

http://www.architecturalstyles.net/wp-content/uploads/2011/07/Computer-Architecture.jpg



CBK Domain #9 (cont.)Security Architecture and Design

• Security models• Bell-LaPadula (confidentiality)

• Biba (Integrity)

• Clark Wilson (Integrity)

• Systems Evaluation Methods

• Orange book (TCSEC/ Rainbow series)

• Common Critera




CBK Domain #9Security Architecture and Design

• What is the best description of a security kernel from a security point of

view?

A. Reference monitor

B. Resource manager

C. Memory mapper

D. Security perimeter

• The trusted computing base (TCB) controls which of the following?

A. All trusted processes and software components

B. All trusted security policies and implementation mechanisms

C. All trusted software and design mechanisms

D. All trusted software and hardware components


CBK Domain #10Telecommunications and Network Security

• The OSI model

• TCP/IP and many other protocols

• LAN, WAN, MAN, intranet, and extranet technologies

• Cable types and transmission types

• Communications security management

• Remote access methods and technologies

• Wireless technologies


CBK Domain #10Telecommunications and Network Security

• At what layer does a bridge work?

A. Session

B. Network

C. Transport

D. Data link

• Which of the following proxies cannot make access decisions on

protocol commands?

A. Application

B. Packet filtering

C. Circuit

D. Stateful


Study Resources

• All-in-one CISSP Exam Guide

(Shon Harris)

• Including CD-ROM

• Free resources on the Net

• cccure.org

• Discussion forums and groups

• Linkedin

• And don’t forget

• Code of ethics found at the

(ISC)² Web site


Tips on the way

• Start studying now!

• You will probably need 2-3 months just to complete the All-in-one exam guide

• Do test exams. Get to know your weakest domains which will need your attention before taking the exam.

• Use multiple study resources e.g. books, eLearning and free test resources on the net.

• Make sure you have relevant professional experience

• Prepare for the endorsement process


Tips on the way (cont.)

• The exam

• Be physically and mentally prepared for the 6 hours, and bring something to drink.

• Read the exam questions carefully, my personal favorite is to start by excluding the two least likely answers and the choose the correct answer from the remaining two.

• Watch the clock. With 250 questions and 6 hours maximum exam time you have an average of 90 seconds per question.

• Be aware that the exam still contains questions that you might think has been outdated in the real world.

• Take short breaks to stretch and relax.


Summary

• Why become a CISSP?

• About (ISC)²

• The Credentialing Process

• The 10 CBK Domains

• Study Resources

• Tips on the way


Questions?

Tomas Ericsson, CISSP-ISSAP

Solutions Architect

Mobile: +46 (0) 70 530 45 32

E-mail: [email protected]

Twitter: @tomas_ericsson

an introduction to the cissp certification for self study groups

Education

hourmed ett speciellt

cissp certification

security conferences

cissp certificate

knowledge of security

isc code of ethics

isc credentialing process

exam code of ethics