An introduction to the CISSP certification for self study groups

2,729 views
2,538 views

Published on

Published in: Education, Technology

An introduction to the CISSP certification for self study groups

  1. 1. An introduction to the CISSP certification for self-study groups Tomas Ericsson, CISSP-ISSAP Solutions Architect Mobile: +46 (0) 70 530 45 32 E-mail: tomas.ericsson@vemendo.se Twitter: @tomas_ericsson vemendo grundat 1997 med ett speciellt öga för kundens affärer
  2. 2. Agenda • Why become a CISSP? • About (ISC)² • The Credentialing Process • The 10 CBK Domains • Study Resources • Tips on the way • Questions and answers vemendo grundat 1997 med ett speciellt öga för kundens affärer
  3. 3. Why become a CISSP? • The world changes with growing needs for security • Prove that you meet predefined standard of knowledge and experience • Broaden your knowledge of security concepts and practices • Become more marketable in a competitive workforce • Show your dedication to the security discipline vemendo grundat 1997 med ett speciellt öga för kundens affärer
  4. 4. About (ISC)² • A global not-for-profit organization • Formed in 1989 – First public certification available in 1995 • Sole purposes – certification and education in information security International Information Systems Security Certification Consortium • First information security credential accredited by ANSI ISO/IEC Standard 17024 • Certified thousands of information security practitioners in over twenty-seven countries vemendo grundat 1997 med ett speciellt öga för kundens affärer
  5. 5. (ISC)² Certifications • CISSP • Certified Information Systems Security Professional • CISSP Concentrations • Information Systems Security Architecture Professional (ISSAP) • Information Systems Security Engineering Professional (ISSEP) • Information Systems Security Management Professional (ISSMP) • CSSLP • Certified Secure Software Lifecycle Professional • SSCP • Systems Security Certified Practitioner • CAP • Certified Authorization Professional vemendo grundat 1997 med ett speciellt öga för kundens affärer
  6. 6. Number of certified professionals per July 2011* CISSP-ISSAP • In Sweden: 4 • World-Wide: 998 CISSP-ISSEP • In Sweden: 0 • World-Wide: 726 • CISSP • In Sweden: 350 • World-Wide: 75 000 • • • CISSP-ISSMP • In Sweden: 4 • World-Wide: 720 *Source: (ISC)² web site member resources . vemendo grundat 1997 med ett speciellt öga för kundens affärer
  7. 7. (ISC)² Credentialing Process • Required Experience • Minimum of five years full-time working experience in any combination of two of the CBK domains. Four years if holding a bachelor or masters degree, or another approved certificate . • Application • Validating your education and/or experience • CISSP Examination • Passing the exam • Code of Ethics • Committing to principles and guidelines set forth by (ISC)2 • Endorsement Process • Attesting to your eligibility requirements vemendo grundat 1997 med ett speciellt öga för kundens affärer
  8. 8. Code of Ethics • Safety of the commonwealth requires that we adhere to the highest ethical standards of behavior • Therefore, strict adherence to this code is a condition of certification • Certificate holders will: • Protect society, the commonwealth, and the infrastructure • Act honorably, honestly, justly, responsibly and legally • Provide diligent and competent service to principals • Advance and protect the profession vemendo grundat 1997 med ett speciellt öga för kundens affärer
  9. 9. The Exam • “An inch deep and a mile wide” • 250 multiple choice questions • 25 for research purposes • Some scenario based • Up to 6 hours to complete and a score of minimum 70% to pass (700 out of 1000 points). • Information Security Concepts • Vendor and product independent • Measures habitual knowledge, not skill • Standard English dictionaries are ok to use vemendo grundat 1997 med ett speciellt öga för kundens affärer
  10. 10. The long wait… • Finally you receive a mail telling that you have passed the exam (you will not know the score). Congratulations! • If you fail to pass the exam you will receive a mail with your score. Domains are listed with ranking from weakest to strongest. • A small sample group of candidates will be audited after passing the exam. vemendo grundat 1997 med ett speciellt öga för kundens affärer
  11. 11. The Endorsement Process • Next step after passing the exam • Another CISSP (in good standing) verifies that you have the experience you claim to have • After approval from the (ISC)² board of directors you will receive your certificate. vemendo grundat 1997 med ett speciellt öga för kundens affärer
  12. 12. Maintaining your CISSP certificate in good standing • The CISSP certification is valid for three years • Remain in Good Standing by: • Being compliant with (ISC)² Code of ethics • Earn 120 Professional Education Credits (CPEs) during the three year period • Pay Annual Maintenance Fees (AMFs) • This will qualify you for an examfree recertification vemendo grundat 1997 med ett speciellt öga för kundens affärer
  13. 13. How you earn CPE credits • Attending educational courses or seminars • Attending security conferences • Being a member of an association chapter and attending meetings • Serving on the board for a professional security organization • Volunteering for a government, public sector and other charitable organizations, including (ISC)2 volunteer committees vemendo grundat 1997 1 CPE = Approx. 1 hour med ett speciellt öga för kundens affärer
  14. 14. How you earn CPE credits (cont.) • Completing higher academic courses • Providing security training • Publishing security articles or books • Participating in self-study courses, computer-based training or Web casts • Reading an information security book or subscribing to an information security magazine vemendo grundat 1997 med ett speciellt öga för kundens affärer
  15. 15. Two types of CPE credits • Group A • Group B • Access Control • Application Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security and Risk Management • Legal, Regulations, Compliance and Investigations • Operations Security Team • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security vemendo grundat 1997 • Organizational Behavior • Strategic Planning • Programming Languages & Techniques • Tools and Techniques • Interpersonal Communications Skills • Interviewing Techniques • Development Skills • Project Management Skills In a three year period you need a minimum of 120 credits of which at least 80 need to be Group A credits. med ett speciellt öga för kundens affärer
  16. 16. CBK – Common Body of Knowledge • A collection of topics relevant to information security professionals around the world • Establishes a common framework of information security terms and principles • Review Committee consisting of leading information security specialists, educators and practitioners. • Focus on Confidentiality, integrity and availability (CIA), and attempts to balance the three across ten areas of interest called CBK domains. vemendo grundat 1997 med ett speciellt öga för kundens affärer
  17. 17. The 10 CISSP CBK Domains • Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk Management • Legal, Regulations, Investigations and Compliance • Operations Security • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security vemendo grundat 1997 med ett speciellt öga för kundens affärer
  18. 18. CBK Domain #1 Access Control • Authentication methods, models, and technologies • Access Control Models • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Non-discretionary Access Control • Identity Management Solutions • • • • vemendo Directories Web Access Management Password Management SSO grundat 1997 med ett speciellt öga för kundens affärer
  19. 19. CBK Domain #1 (cont.) Access Control • Intrusion detection systems • Network vs. Host-based • Behavior vs. Signature-based • Threats to access control practices and technologies • • • • • Race condition Brute Force Dictionary Social Rainbow tables • Accountability, monitoring, and auditing practices vemendo grundat 1997 med ett speciellt öga för kundens affärer
  20. 20. CBK Domain #1 Access Control • Which access control method is user-directed? A. B. C. D. Non-discretionary Mandatory Identity-based Discretionary • Which item is not part of a Kerberos authentication implementation? A. B. C. D. vemendo Message Authentication Code Ticket granting service Authentication service Users, programs, and services grundat 1997 med ett speciellt öga för kundens affärer
  21. 21. CBK Domain #2 Application Development Security • Various types of software controls and implementation • Database concepts and security issues • Database views • Aggregation • Inference • Software life-cycle development processes vemendo grundat 1997 med ett speciellt öga för kundens affärer
  22. 22. CBK Domain #2 (cont.) Application Development Security Web Security • Threats • Safeguards • Malicious Software • • • • vemendo Viruses Worms Trojan horses Logic bombs grundat 1997 med ett speciellt öga för kundens affärer
  23. 23. CBK Domain #2 Application Development Security • Which of the following replicates itself by attaching to other programs? A. B. C. D. A worm A virus A Trojan horse Malware • Database views provide what type of security control? A. B. C. D. vemendo Detective Corrective Preventive Administrative grundat 1997 med ett speciellt öga för kundens affärer
  24. 24. CBK Domain #3 Business Continuity and Disaster Recovery Planning • Project initiation steps • • • • Business Impact Analysis (BIA) Recovery strategy Recovery plan Implementing, testing and maintaining the plan • Recovery and continuity planning requirements • Backup alternatives • Full backup • Incremental • Differential vemendo grundat 1997 med ett speciellt öga för kundens affärer
  25. 25. CBK Domain #3 (cont.) Business Continuity and Disaster Recovery Planning • Backup and offsite facilities • • • • Hot Warm Cold Reciprocal agreements • Offsite backups • Remote journaling • Electronic vaulting • Types of drills and tests • • • • vemendo Walk through Checklist Simulation Full Interuption grundat 1997 med ett speciellt öga för kundens affärer
  26. 26. CBK Domain #3 Business Continuity and Disaster Recovery Planning • What is one of the first steps in developing a business continuity plan? A. Identify backup solution B. Decide whether the company needs to perform a walk-through, parallel, or simulation test C. Perform a business impact analysis D. Develop a business resumption plan • Which best describes a hot-site facility versus a warm- or cold-site facility? A. B. C. D. vemendo A site that has disk drives, controllers, and tape drives A site that has all necessary PCs, servers, and telecommunications A site that has wiring, central air, and raised flooring A mobile site that can be brought to the company’s parking lot grundat 1997 med ett speciellt öga för kundens affärer
  27. 27. CBK Domain #4 Cryptography • History of cryptography • Cryptography components and their relationships • Government involvement in cryptography • Symmetric and asymmetric key algorithms • Public key infrastructure (PKI) concepts and mechanisms • • • • vemendo Digital Signatures Certificates Certificate Authority (CA) Registration Authority (RA) grundat 1997 med ett speciellt öga för kundens affärer
  28. 28. CBK Domain #4 (cont.) Cryptography • Hashing algorithms and uses • md2, md4, md5 • SHA-1, SHA-2 • Types of attacks on cryptosystems • • • • • vemendo Cipher attack Cryptoanalysis Known-Plaintext Replay …and more grundat 1997 med ett speciellt öga för kundens affärer
  29. 29. CBK Domain #4 Cryptography • How many bits make up the effective length of the DES key? A. B. C. D. 56 64 32 16 • If different keys generate the same cipher text for the same message, what is this called? A. B. C. D. vemendo Collision Secure hashing MAC Key clustering grundat 1997 med ett speciellt öga för kundens affärer
  30. 30. CBK Domain #5 Information Security Governance and Risk Management • Security management responsibilities • Difference between administrative, technical, and physical controls • Three main security principles • Confidentiality • Availability • Integrity • Risk management and risk analysis vemendo grundat 1997 med ett speciellt öga för kundens affärer
  31. 31. CBK Domain #5 (cont.) Information Security Governance and Risk Management • Information Security Standards • ISO 17799 • ISO 27001 • Security policies • Information classification • Security awareness training vemendo grundat 1997 med ett speciellt öga för kundens affärer
  32. 32. CBK Domain #5 Information Security Governance and Risk Management • What are security policies? A. B. C. D. Step-by-step directions on how to accomplish security tasks General guidelines used to accomplish a specific security level Broad, high-level statements from the management Detailed documents explaining how security incidents should be handled • Which is the most valuable technique when determining if a specific security control should be implemented? A. B. C. D. vemendo Risk analysis Cost/ benefit analysis ALE results Identifying the vulnerabilities and threats causing the risk grundat 1997 med ett speciellt öga för kundens affärer
  33. 33. CBK Domain #6 Legal, Regulations, Investigations and Compliance • Computer crimes and computer laws • • • • • Criminal law Civil law Intellectual Property Laws Computer crime laws Privacy Laws (EU) • Regulations • • • • • SOX HIPAA GLBA BASEL II PCI DSS • Motives and profiles of attackers vemendo grundat 1997 med ett speciellt öga för kundens affärer
  34. 34. CBK Domain #6 (cont.) Legal, Regulations, Investigations and Compliance • Computer crime investigation process and evidence collection • • • • Best evidence Secondary evidence Circumstantial evidence Hearsay evidence • Incident-handling procedures • Ethics pertaining to information security professionals and best practices (Code of Ethics) vemendo grundat 1997 med ett speciellt öga för kundens affärer
  35. 35. CBK Domain #6 Legal, Regulations, Investigations and Compliance • Which of the following would be a violation to (ISC)² code of ethics, and could cause the candidate to loose his or her certification? A. E-mailing information or comments about the exam to other CISSP candidates B. Submitting comments on the questions of the exam to (ISC)² C. Submitting comments to the board of directors regarding the test and content of the class D. Conducting a presentation about the CISSP certification and what the certification means • Protecting evidence and providing accountability for who handled it at different steps during the investigation is referred to as what? A. B. C. D. vemendo The rule of best evidence Hearsay Evidence safety Chain of custody grundat 1997 med ett speciellt öga för kundens affärer
  36. 36. CBK Domain #7 Operations Security • Administrative management responsibilities • Organisational roles • Separation of duties • Least privilege • Operations department responsibilities • Configuration management • Trusted recovery states vemendo grundat 1997 med ett speciellt öga för kundens affärer
  37. 37. CBK Domain #7 (cont.) Operations Security • Redundancy and fault-tolerant systems • RAID • Threats to operations security • • • • • • • vemendo DoS Man-in-the-middle Mail bombing War dialing Fake login screens Teardrop Trafic Analysis grundat 1997 med ett speciellt öga för kundens affärer
  38. 38. CBK Domain #7 Operations Security • Which of the following best describes operations security? A. Continual vigilance about hacker activity and possible vulnerabilities B. Enforcing access control and physical security C. Taking steps to make sure an environment, and the things within it, stay at a certain level of protection D. Doing strategy planning to develop a secure environment and then implementing it properly • If sensitive data are stored on a CD-ROM and are no longer needed, which would be the proper way of disposing of the data? A. B. C. D. vemendo Degaussing Erasing Purging Physical destruction grundat 1997 med ett speciellt öga för kundens affärer
  39. 39. CBK Domain #8 Physical (Environmental) Security • Administrative, technical, and physical controls • Facility location, construction, and management • Physical security risks, threats, and countermeasures • • • • vemendo Natural Environmental Supply system Manmade Politically motivated grundat 1997 med ett speciellt öga för kundens affärer
  40. 40. CBK Domain #8 (cont.) Physical (Environmental) Security • Electric power issues and countermeasures • Fire prevention, detection and suppression • Fire suppression • Intrusion detection systems vemendo grundat 1997 med ett speciellt öga för kundens affärer
  41. 41. CBK Domain #8 Physical (Environmental) Security • When should a Class C fire extinguisher be used instead of a Class A fire extinguisher? A. B. C. D. When electrical equipment is on fire When wood and paper are on fire When a combustible liquid is on fire When the fire is in an open area • Which of the following answers contains a category of controls that does not belong in a physical security program? A. B. C. D. vemendo Deterrence and delaying Response and detection Assessment and detection Delaying and lightning grundat 1997 med ett speciellt öga för kundens affärer
  42. 42. CBK Domain #9 Security Architecture and Design • Computer hardware and Operating Systems Architecture • Trusted computing base and security mechanisms • Hardware • Software • Firmware • Protection mechanisms within an operating system • Security Perimeter • Reference Monitor • Security Kernel vemendo grundat 1997 med ett speciellt öga för kundens affärer
  43. 43. CBK Domain #9 (cont.) Security Architecture and Design • Security models • Bell-LaPadula (confidentiality) • Biba (Integrity) • Clark Wilson (Integrity) • Systems Evaluation Methods • Orange book (TCSEC/ Rainbow series) • Common Critera vemendo grundat 1997 med ett speciellt öga för kundens affärer
  44. 44. CBK Domain #9 Security Architecture and Design • What is the best description of a security kernel from a security point of view? A. B. C. D. Reference monitor Resource manager Memory mapper Security perimeter • The trusted computing base (TCB) controls which of the following? A. B. C. D. vemendo All trusted processes and software components All trusted security policies and implementation mechanisms All trusted software and design mechanisms All trusted software and hardware components grundat 1997 med ett speciellt öga för kundens affärer
  45. 45. CBK Domain #10 Telecommunications and Network Security • The OSI model • TCP/IP and many other protocols • LAN, WAN, MAN, intranet, and extranet technologies • Cable types and transmission types • Communications security management • Remote access methods and technologies • Wireless technologies vemendo grundat 1997 med ett speciellt öga för kundens affärer
  46. 46. CBK Domain #10 Telecommunications and Network Security • At what layer does a bridge work? A. B. C. D. Session Network Transport Data link • Which of the following proxies cannot make access decisions on protocol commands? A. B. C. D. vemendo Application Packet filtering Circuit Stateful grundat 1997 med ett speciellt öga för kundens affärer
  47. 47. Study Resources • All-in-one CISSP Exam Guide (Shon Harris) • Including CD-ROM • Free resources on the Net • cccure.org • Discussion forums and groups • Linkedin • And don’t forget • Code of ethics found at the (ISC)² Web site vemendo grundat 1997 med ett speciellt öga för kundens affärer
  48. 48. Tips on the way • Start studying now! • You will probably need 2-3 months just to complete the All-in-one exam guide • Do test exams. Get to know your weakest domains which will need your attention before taking the exam. • Use multiple study resources e.g. books, eLearning and free test resources on the net. • Make sure you have relevant professional experience • Prepare for the endorsement process vemendo grundat 1997 med ett speciellt öga för kundens affärer
  49. 49. Tips on the way (cont.) • The exam • Be physically and mentally prepared for the 6 hours, and bring something to drink. • Read the exam questions carefully, my personal favorite is to start by excluding the two least likely answers and the choose the correct answer from the remaining two. • Watch the clock. With 250 questions and 6 hours maximum exam time you have an average of 90 seconds per question. • Be aware that the exam still contains questions that you might think has been outdated in the real world. • Take short breaks to stretch and relax. vemendo grundat 1997 med ett speciellt öga för kundens affärer
  50. 50. Summary • Why become a CISSP? • About (ISC)² • The Credentialing Process • The 10 CBK Domains • Study Resources • Tips on the way vemendo grundat 1997 med ett speciellt öga för kundens affärer
  51. 51. Questions? Tomas Ericsson, CISSP-ISSAP Solutions Architect Mobile: +46 (0) 70 530 45 32 E-mail: tomas.ericsson@vemendo.se Twitter: @tomas_ericsson vemendo grundat 1997 med ett speciellt öga för kundens affärer

×